JP7411548B2 - Replication of resource types and schema metadata for multi-tenant identity cloud services - Google Patents

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims priority to U.S. Provisional Patent Application No. 62/802,887, filed February 2, 2019, the disclosure of which is incorporated herein by reference.

Field One embodiment is directed to identity management in general, and in particular in cloud systems.

Background Information Cloud-based applications (e.g., enterprise public cloud applications, third-party (e.g. cloud applications) is rapidly increasing. The high diversity and accessibility of cloud-based applications makes identity management and access security a central concern. Typical security issues in cloud environments include unauthorized access, account hijacking, and malicious insiders. Therefore, secure access to applications, whether cloud-based or located anywhere, is required regardless of the type of device or type of user accessing the application.

Overview Embodiments operate a multi-tenant cloud system having a first data center. At the first data center, embodiments authenticate the first client and store resources corresponding to the first client, the first data center authenticate the first client and replicate the resources. and a second data center configured to: In response to an upgrade of global resources at the first data center to a new version, embodiments generate a manifest file that includes a list of global resource types and schemas that were modified or added in response to the upgrade. Embodiments further upgrade the global resource based on the manifest file, write the upgraded global resource to the first global database, and generate a change event message corresponding to the upgraded global resource. Embodiments push a change event message to a second data center, and then the second data center compares the current version with the new version and when the current version is not newer than the new version. applies the change event message to the second global database, ignores the change event message when the current version is as new as the new version, or is newer than the new version, and changes the non-replication service. to load global resources from a binary distribution instead of a second global database.

1 is a block diagram of an example embodiment that provides cloud-based identity management. FIG. 1 is a block diagram of an example embodiment that provides cloud-based identity management. FIG. 1 is a block diagram of an example embodiment that provides cloud-based identity management. FIG. 1 is a block diagram of an example embodiment that provides cloud-based identity management. FIG. 1 is a block diagram of an example embodiment that provides cloud-based identity management. FIG. 1 is a block diagram providing a system view of an embodiment. FIG. FIG. 2 is a block diagram providing a functional view of an embodiment. FIG. 2 is a block diagram of an embodiment implementing Cloud Gate. 1 is a diagram illustrating an example of a system that implements multiple tenancy in one embodiment. FIG. FIG. 2 is a block diagram of a network view of an embodiment. 1 is a block diagram of a system architecture view of single sign-on ("SSO") functionality in one embodiment; FIG. FIG. 3 is a message sequence flow diagram of the SSO functionality in one embodiment. 1 is a diagram illustrating an example of a distributed data grid in one embodiment. FIG. FIG. 2 is a diagram illustrating a plurality of deployed data centers (denoted as "DC"), each forming a "region", according to an embodiment of the present invention; FIG. 3 is a diagram illustrating a processing flow of replication change events/logs between a master IDCS deployment and a replica IDCS deployment according to an embodiment of the present invention. FIG. 3 is a diagram illustrating a process flow of conflict resolution between a master IDCS deployment and a replica IDCS deployment according to an embodiment of the present invention. FIG. 2 is a block diagram illustrating further details of a master IDCS deployment and a replica IDCS deployment, according to an embodiment of the invention. FIG. 4 is a flow diagram of conflict resolution according to replication according to an embodiment of the present invention. 1 is a schematic diagram of a global resource replication configuration according to an embodiment. FIG. 2 is a diagram illustrating global resource replication and upgrade from a master region to a replica region according to an embodiment.

DETAILED DESCRIPTION Embodiments describe, for example, version release upgrades at a master data center by providing metadata replication between a master data center/region and a replica data center/region. After a version upgrade, metadata including global resources such as resource types and schemas must be replicated, and this metadata must be consistent in the replica region before data replication occurs between master and replica. There is a need. Embodiments provide this alignment anteriorly and posteriorly. This is because any upgraded region can be considered a master region, and all other regions are then considered replica regions for metadata replication.

Embodiments provide an identity cloud service that enables a microservices-based architecture while providing multi-tenant identity and data security management and secure access to cloud-based applications. Embodiments support secure access for hybrid cloud deployments (i.e., cloud deployments that include a combination of public and private clouds). Embodiments protect applications and data both in the cloud and on-premises. Embodiments support multi-channel access via the web, mobile devices, and application programming interfaces ("APIs"). Embodiments manage access for various users, such as customers, partners, and employees. Embodiments manage, control, and audit both access through the cloud and on-premises access. Embodiments integrate with new and existing applications and identities. Embodiments are laterally scalable.

One embodiment is a system that provides cloud-based multi-tenant identity and access management services by implementing a large number of microservices in a stateless middle-tier environment. In one embodiment, each requested identity management service is divided into real-time tasks and near-real-time tasks. Real-time tasks are handled by middle-tier microservices, while near-real-time tasks are offloaded to message queues. Embodiments enhance the security model for accessing microservices by implementing access tokens that are consumed by routing and middle tiers. Accordingly, embodiments provide a cloud-scale Identity and Access Management (“IAM”) platform based on a multi-tenant microservices architecture.

One embodiment provides an identity cloud service that enables organizations to rapidly develop fast, reliable, and secure services for their new business initiatives. In one embodiment, the identity cloud service provides a number of core services. Each core service solves a unique challenge faced by many companies. In one embodiment, the identity cloud service supports users, for example, when initially onboarding/importing users, when importing groups with user members, when creating/updating/disabling/enabling/deleting users, Supports administrators when assigning/unassigning users to groups, creating/updating/deleting groups, resetting passwords, managing policies, submitting activations, etc.

One embodiment of unified access security protects applications and data in both cloud and on-premises environments. This embodiment secures access to any application by anyone from any device. This embodiment provides protection across both of these environments. This is because any security discrepancy between these two environments can increase the risk. For example, if such a conflict exists, a salesperson may still have access to his or her Customer Relationship Management (“CRM”) account even after he or she has defected and moved to a competitor. It may continue to do so. Accordingly, embodiments extend security controls provisioned in an on-premises environment to a cloud environment. For example, if a person leaves a company, embodiments ensure that their account is disabled both on-premises and in the cloud.

Typically, users may access applications and/or data through a wide variety of channels, such as a web browser, desktop, mobile phone, tablet, smart watch, and other wearable devices. Therefore, one embodiment secures access through all of these channels. For example, a user can use their mobile phone to complete a transaction initiated on their desktop.

One embodiment further manages access for various users, such as customers, partners, employees, etc. Generally, applications and/or data may be accessed not only by employees, but also by customers or third parties. Many known systems provide security measures when onboarding employees, but these security measures are typically not at the same level of security as when granting access to customers, third parties, partners, etc. , As a result, security may be breached by persons who are not properly supervised. However, embodiments ensure that sufficient security measures are provided for access for each type of user as well as for employees.

Identity Cloud Service embodiments provide Identity Cloud Service (“IDCS”), a multi-tenant, cloud-scale IAM platform. IDCS provides authentication, authorization, auditing, and federation. IDCS manages access to custom applications and services running on public cloud and on-premises systems. In alternative or additional embodiments, the IDCS may also manage access to public cloud services. For example, IDCS can be used to provide Single Sign On ("SSO") functionality across such diverse services/applications/systems.

Embodiments are based on a multi-tenant microservices architecture for designing, building, and delivering cloud-scale software services. Multi-tenancy refers to a service that is a physical implementation of a service that safely supports multiple customers who have purchased the service. A service provides a software function or set of software functions (such as retrieving specified information or performing a set of actions) that can be reused by different clients for different purposes (e.g., requesting a service). policy that governs its use (based on client identity). In one embodiment, a service is a mechanism that enables access to one or more functionalities, where this access is provided using a predefined interface and is enforced according to constraints and policies specified by the service description. Ru.

In one embodiment, microservices are independently deployable services. In one embodiment, the term microservices is intended for a software architecture design pattern in which complex applications are composed of small independent processes that communicate with each other using language-independent APIs. In one embodiment, microservices are finely isolated small services, each service may focus on performing small tasks. In one embodiment, the microservices architectural style is an approach to developing a single application as a set of small services, where each service runs in its own process and uses lightweight mechanisms (e.g., Hypertext Transfer Protocol). Transfer Protocol (“HTTP”) resource API). In one embodiment, microservices are easier to replace when compared to monolithic services that perform all or many of the same functions. Additionally, each microservice can be updated without negatively impacting other microservices. On the other hand, updating one part of a monolithic service can have undesirable or unintended negative effects on other parts of the monolithic service. In one embodiment, microservices may be beneficially organized around their functionality. In one embodiment, the startup time of each microservice in the collection of microservices is much shorter than the startup time of a single application that executes all of these microservices together. In some embodiments, the startup time for each such microservice is about 1 second or less, whereas the startup time for a single such application is about 1 minute, several minutes, or longer. There are cases.

In one embodiment, a microservices architecture refers to a service oriented architecture ("SOA") specialization (i.e., task (separation) and realization method. Services in a microservices architecture are processes that communicate with each other over a network to accomplish a goal. In one embodiment, these services use technology independent protocols. In one embodiment, the service uses a protocol that has low granularity and is lightweight. In one embodiment, services are independently deployable. By distributing system functionality into different small services, system cohesion is improved and system coupling is reduced. It facilitates system changes and makes it easy to add functionality and quality to the system at any time. It also allows the architecture of individual services to emerge through constant refactoring, thus reducing the need for extensive up-front design and allowing software to be released in early succession. become.

In one embodiment, in a microservices architecture, an application is developed as a collection of services, each running its own process and communicating using a lightweight protocol (eg, a unique API for each microservice). In a microservices architecture, decomposing a piece of software into individual services/functions can be done at different levels of granularity depending on the service being provided. A service is a runtime component/process. Each microservice is a self-contained module that can talk to other modules/microservices. Each microservice has an anonymous universal port that can be contacted by others. In one embodiment, a microservice's anonymous universal port is a standard communication channel that the microservice traditionally exposes (such as a traditional HTTP port) to which other modules/microservices within the same service It is a standard communication channel that allows people to talk to each other. Microservices or other self-contained functional modules may be collectively referred to as "services."

Embodiments provide multi-tenant identity management services. Embodiments are based on open standards that ensure easy integration with a variety of applications and provide IAM functionality through standards-based services.

Embodiments manage the life cycle of user identities, which involves determining and enforcing what an identity can access, who can grant such access, who can manage such access, and so on. Embodiments run identity management workloads in the cloud and support security features for applications that do not necessarily reside within this cloud. The identity management services provided by these embodiments may be purchased from the cloud. For example, a company may purchase such services from the cloud to manage its employees' access to the company's applications.

Embodiments provide system security, massive scalability, end user usability, and application interoperability. Embodiments address the growth of the cloud and the use of identity services by customers. Microservices-based foundations deal with horizontal scalability conditions, whereas fine-tuning of services deals with functional conditions. To achieve both of these goals, business logic is decomposed (as much as possible) to ultimately achieve consistent statelessness, while most of the behavioral logic that does not undergo real-time processing is delivered Shift to near real-time by offloading to a highly scalable asynchronous event management system with guaranteed processing. Embodiments are fully multi-tenant from the web layer to the data to achieve cost efficiency and ease system management.

Embodiments use industry standards (e.g., OpenID Connect, OAuth2, Security Assertion Markup Language 2 (“SAML2”), cross-domain identity management) to facilitate integration with a variety of applications. System for Cross-domain Identity Management (“SCIM”), Representational State Transfer (“REST”), etc.). One embodiment provides a cloud-scale API platform to enable horizontally scalable microservices for elastic scalability. This embodiment strengthens the cloud principle and provides a multi-tenant architecture in which data is separated for each tenant. This embodiment further provides per-tenant customization via tenant self-service. This embodiment is available via an API for on-demand integration with other identity services and provides continuous feature releases.

One embodiment provides interoperability and enhances investments in identity management ("IDM") capabilities in the cloud and on-premises. The present embodiments provide automated identity synchronization from on-premises Lightweight Directory Access Protocol (“LDAP”) data to cloud data and vice versa. The present embodiment provides a SCIM identity bus between the cloud and the enterprise, allowing various options for hybrid cloud deployment (eg, identity federation and/or synchronization, SSO agents, user provisioning connectors, etc.).

Accordingly, one embodiment is a system that provides cloud-based multi-tenant identity and access management services by implementing a large number of microservices in a stateless middle tier. In one embodiment, each requested identity management service is divided into real-time tasks and near-real-time tasks. Real-time tasks are handled by middle-tier microservices, while near-real-time tasks are offloaded to message queues. Embodiments implement tokens that are consumed by a routing layer to implement a security model for accessing microservices. Accordingly, embodiments provide a cloud-scale IAM platform based on a multi-tenant microservices architecture.

Generally, known systems provide siled access to applications provided by various environments, such as, for example, enterprise cloud applications, partner cloud applications, third party cloud applications, and customer applications. Such siled access may require multiple passwords, different password policies, different account provisioning and deprovisioning techniques, disparate auditing, etc. However, one embodiment provides unified IAM functionality for such applications by implementing IDCS. FIG. 1 is a block diagram 100 of an example embodiment using IDCS 118 to provide a unified identity platform 126 for onboarding users and applications. This embodiment provides a seamless user experience across various applications such as enterprise cloud application 102, partner cloud application 104, third party cloud application 110, and customer application 112. Applications 102, 104, 110, 112 may be accessed through different channels, for example, by mobile phone user 108 via mobile phone 106 and by desktop computer user 116 via browser 114. . A web browser (commonly referred to as a browser) is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. Examples of web browsers include Mozilla® Firefox®, Google Chrome®, Microsoft® Internet Explorer®, and Apple® Safari®. It will be done.

IDCS 118 provides a unified view 124 of a user's applications, unified secure credentials across devices and applications (via identity platform 126), and a unified method of management (via admin console 122). ,provide. IDCS services may be obtained by calling IDCS API 142. Such services include, for example, login/SSO services 128 (e.g., OpenID Connect), federation services 130 (e.g., SAML), token services 132 (e.g., OAuth), directory services 134 (e.g., SCIM), provisioning services 136 (e.g., SCIM or Any Transport over Multiprotocol (“AToM”)), event service 138 (eg, REST), and authorization service 140 (eg, SCIM). IDCS 118 may further provide reports and dashboards 120 regarding the services provided.

Integration Tools Large enterprises typically have IAM systems in place for secure access to their on-premises applications. Business methods typically mature and become standardized around in-house IAM systems such as Oracle's Oracle IAM Suite. Even small to medium sized organizations typically have their business processes designed around managing user access through a simple directory solution such as Microsoft Active Directory ("AD"). To enable on-premises integration, embodiments provide tools that allow customers to integrate their applications with IDCS.

FIG. 2 is a block diagram 200 of an example embodiment using IDCS 202 in a cloud environment 208 to provide integration with an on-premises 206 AD 204. This embodiment includes, for example, various applications/services within cloud 208 such as cloud services 210, cloud applications 212, partner applications 214, and customer applications 216, as well as on-premises and third party applications such as on-premises applications 218. Deliver a seamless user experience across applications. Cloud applications 212 include, for example, Human Capital Management ("HCM"), CRM, talent acquisition (e.g., Oracle's Oracle Taleo cloud service), and Configure Price and Quote. "CPQ"). Cloud services 210 may include, for example, Platform as a Service ("PaaS"), Java, databases, business intelligence ("BI"), documents, and the like.

Applications 210 , 212 , 214 , 216 , 218 may be accessed through different channels, for example, by mobile phone user 220 via mobile phone 222 and by desktop computer user 224 via browser 226 . Good too. The present embodiment automatically synchronizes identities from on-premises AD data to cloud data via SCIM identity bus 234 between cloud 208 and enterprise 206. The embodiment further provides a SAML bus 228 for orchestrating authentication (eg, using password 232) from cloud 208 to on-premises AD 204.

Generally, an identity bus is a service bus for identity-related services. A service bus provides a platform for passing messages from one system to another. It is a controlled mechanism for exchanging information between trusted systems, for example in a service oriented architecture ("SOA"). The identity bus is a logical bus built according to standard HTTP-based mechanisms such as web services, web server proxies, etc. Communication on the identity bus may be performed according to each protocol (eg, SCIM, SAML, OpenID Connect, etc.). For example, a SAML bus is an HTTP-based connection between two systems for conveying messages regarding SAML services. Similarly, the SCIM bus is used to convey SCIM messages according to the SCIM protocol.

The embodiment of FIG. 2 implements a small binary (eg, 1 MB in size) identity ("ID") bridge 230 that can be downloaded and installed on-premises 206 with a customer's AD 204. Identity bridge 230 listens for users and groups (eg, groups of users) in organizational units (“OUs”) selected by the customer and synchronizes these users to cloud 208 . In one embodiment, the user's password 232 is not synchronized to the cloud 208. Customers can manage application access for users by mapping groups of IDCS users to cloud applications managed in IDCS 208. Whenever a user's group membership changes on-premises 206, the corresponding cloud application access changes automatically.

For example, an employee who transfers from a technology department to a sales department can almost instantaneously gain access to the sales cloud and lose access to the developer cloud. When this change is reflected in the on-premises AD 204, cloud application access changes are realized in near real time. Similarly, a user's access to cloud applications managed by IDCS 208 is revoked when they leave this enterprise. For full automation, customers can set up SSO between on-premises AD 204 and IDCS 208, for example through an AD federation service (“AD/FS” or some other mechanism to achieve SAML federation), so that end users can A single corporate password 332 may be used to provide access to cloud applications 210, 212, 214, 216 and on-premises applications 218.

FIG. 3 is a block diagram 300 of an example embodiment that includes the same components 202, 206, 208, 210, 212, 214, 216, 218, 220, 222, 224, 226, 228, 234 as in FIG. However, in the embodiment of FIG. 3, IDCS 202 provides integration with an on-premises IDM 304, such as Oracle IDM. Oracle IDM 304 is Oracle's software suite for providing IAM functionality. This embodiment provides a seamless user experience across all applications, including on-premises and third-party applications. This embodiment provisions user identities from on-premises IDM 304 to IDCS 208 via SCIM identity bus 234 between cloud 202 and enterprise 206. The embodiment further provides a SAML bus 228 (or OpenID Connect bus) for authentication coordination from cloud 208 to on-premises 206.

In the embodiment of FIG. Implemented as an extension module. A connector is a module that has physical knowledge of how to talk to the system. OIM is an application configured to manage user identities (eg, manage user accounts for different systems based on what the user should and should not have access to). OAM is a security application that provides access management functions such as web SSO, identity context, authentication and authorization, policy management, testing, logging, and auditing. OAM has built-in support for SAML. If a user has an account with IDCS 202, OIM connector 302 and OAM integration 306 can be used with Oracle IDM 304 to create/delete this account and manage access from this account.

FIG. 4 is a block diagram 400 of an example embodiment including the same components 202, 206, 208, 210, 212, 214, 216, 218, 220, 222, 224, 226, 234 as in FIGS. 2 and 3. . However, in the embodiment of FIG. 4, IDCS 202 provides functionality for extending cloud identities to on-premises applications 218. This embodiment provides a seamless view of identity across all applications, including on-premises and third-party applications. In the embodiment of FIG. 4, SCIM identity bus 234 is used to synchronize data in IDCS 202 with on-premises LDAP data, referred to as "cloud cache" 402. Cloud cache 402 is disclosed in more detail below.

Generally, applications configured to communicate based on LDAP require an LDAP connection. Such applications may not establish LDAP connections using URLs (unlike, for example, "www.google.com" which connects to Google). This is because LDAP must be on the local network. In the embodiment of FIG. 4, LDAP-based application 218 connects to cloud cache 402, which connects to IDCS 202 and then pulls the requested data from IDCS 202. Communication between IDCS 202 and cloud cache 402 may be accomplished according to the SCIM protocol. For example, cloud cache 402 may use SCIM bus 234 to send SCIM requests to IDCS 202 and receive corresponding data.

A complete implementation of an application typically involves building a consumer portal, running marketing campaigns to external user populations, supporting web and mobile channels, and managing user authentication, sessions, and This includes handling profiles, user groups, application roles, password policies, self-service/registration, social integration, identity federation, etc. Application developers are typically not identity/security experts. This is why on-demand identity management services are desirable.

FIG. 5 is a block diagram 500 of an example embodiment that includes the same components 202, 220, 222, 224, 226, 234, 402 as in FIGS. 2-4. However, in the embodiment of FIG. 5, IDCS 202 provides secure identity management on demand. The present embodiment provides on-demand integration of IDCS 202 with identity services (eg, based on standards such as OpenID Connect, OAuth2, SAML2, or SCIM). An application 505 (which may be on-premises or in a public or private cloud) may call an identity service API 504 of the IDCS 202. Services provided by IDCS 202 may include, for example, self-service registration 506, password management 508, user profile management 510, user authentication 512, token management 514, social integration 516, and the like.

In this embodiment, SCIM identity bus 234 is used to synchronize data in IDCS 202 with data in on-premises LDAP cloud cache 402. Additionally, “Cloud Gate” 502 running on a web server/proxy (eg, NGINX, Apache, etc.) may be used by applications 505 to obtain user web SSO and REST API security from IDCS 202. Cloud Gate 502 securely provides access to multi-tenant IDCS microservices by ensuring that the client application provides a valid access token and/or that the user successfully authenticates for SSO session establishment. It is a component that does something. Cloud Gate 502 is further disclosed below. Cloud Gate 502 (an enforcement point similar to webgate/webagent) allows applications running behind supported web servers to participate in SSO.

One embodiment provides SSO and cloud SSO functionality. For many organizations, SSO is a common entry point for both on-premises IAM and IDCS. Cloud SSO allows users to access multiple cloud resources with a single user sign-in. Organizations often want to federate their on-premises identities. Thus, by leveraging open standards, embodiments enable investment savings and scaling by enabling integration with existing SSO (e.g., up to an eventual complete migration to an identity cloud service approach). ).

One embodiment may provide the following functionality.
- Track already authorized user accounts, ownership, access, and permissions by maintaining an identity store.
- Integration with workflows to facilitate various approvals (e.g., administrative, IT, human resources, legal, and compliance) required for application access.
- Provision SaaS user accounts for selective devices (e.g. mobile and personal computers ("PCs")). Access to the user portal includes numerous private and public cloud resources.
- Facilitates regular management verification of compliance with regulations and current job responsibilities.

In addition to these features, embodiments further include:
・Cloud account provisioning for account lifecycle management in cloud applications;
・Integration of more robust multifactor authentication (“MFA”);
- May provide enhanced mobile security features, and - Dynamic authentication options.

One embodiment provides adaptive authentication and MFA. Passwords and verification questions have generally been considered insufficient and susceptible to common attacks such as phishing. Most modern corporate entities are turning to some form of MFA to reduce risk. However, for a solution to be successfully deployed, it needs to be easily provisioned, maintained, and understood by end users. This is because end users typically resist anything that interferes with their digital experience. Enterprises can make MFA a near-transparent component of a seamless user access experience while securing bring your own device (“BYOD”), social identity, remote users, customers, and subscribers. I'm looking for a way to incorporate it. In deploying MFA, industry standards such as OAuth and OpenID Connect are essential to ensure the integration of existing multi-factor solutions and the introduction of newer adaptive authentication technologies. Accordingly, embodiments define dynamic (or adaptive) authentication as the evaluation of available information (i.e., IP address, location, time, and biometrics) to prove identity after a user session begins. Using appropriate standards (e.g., open authentication ("OATH") and fast online authentication ("FIDO") integration and an extensible identity management framework, embodiments can: Provides an MFA solution that can be easily adopted, upgraded, and integrated within IT organizations as part of an end-to-end secure IAM deployment.When considering MFA and adaptive policies, organizations can choose between hybrid IDCS and on-premises Consistent policies must be achieved across on-premises and cloud resources requiring integration between systems in an IAM environment.

One embodiment provides user provisioning and certification. Generally, the basic functionality of an IAM solution is to enable and support the entire user provisioning lifecycle. This means giving users application access appropriate to their identity and role within the organization (e.g., the user's role or the tasks or applications used within that role change over time). (as users change) and the rapid user deprovisioning required when a user leaves an organization. This is important not only to meet various compliance requirements, but also because inappropriate insider access is a major cause of security breaches and attacks. Automated user provisioning capabilities in an identity cloud solution can be important not only in its own right, but also as part of a hybrid IAM solution, and therefore IDCS provisioning can be used as an enterprise to downsize, expand, If you are looking to merge or integrate existing systems with an IaaS/PaaS/SaaS environment, it may offer more flexibility than on-premises solutions during migration. The IDCS approach can save time and effort in one-time upgrades and ensures proper integration of necessary departments, business units, and systems. Enterprises often have a silent need to scale this technology, and rapidly delivering scalable IDCS functionality across an enterprise system can provide benefits in terms of flexibility, cost, and control.

Typically, employees are granted additional privileges over the years as their job changes (i.e., "authority creep"). Companies that are less regulated generally lack a "proof" process. This process involves regularly auditing the privileges of a company's employees (e.g., access to networks, servers, applications, and data) to prevent privilege creep that results in overprivileged accounts. Requires management to stop or slow down. Accordingly, one embodiment may provide for a verification process that is performed periodically (at least once a year). Additionally, with mergers and acquisitions, the need for these tools and services increases exponentially. This is because the users are in a SaaS system, on-premises, across different departments, and/or have been deprovisioned or reassigned. The move to the cloud could further disrupt this situation, and things could quickly escalate beyond existing, often manually managed certification methods. Accordingly, one embodiment automates these functions and applies advanced analytics to user profiles, access history, provisioning/deprovisioning, and disaggregated rights.

One embodiment provides identity analysis. In general, the ability to integrate identity analytics with IAM engines for comprehensive attestation and proofing can be essential to securing an organization's risk profile. Properly deployed identity analytics can require enforcement of entire internal policies. Identity analytics, which provides a unified, single management view across cloud and on-premises, is highly needed in proactive governance, risk, and compliance (“GRC”) enterprise environments. can help provide a closed-loop process to reduce and meet compliance regulations. Accordingly, one embodiment provides identity analysis. Identity Analytics can be easily customized by clients to meet specific industry conditions and government regulations for the reporting and analysis required by managers, executives, and auditors.

One embodiment improves end user experience and efficiency while reducing the cost of help desk calls by providing self-service and access request functionality. Although many companies typically deploy on-premises self-service access requests for their employees, many do not adequately extend these systems outside of the formal corporate walls. A positive digital customer experience outside of employee usage increases business confidence and ultimately contributes to increased revenue, allowing companies to not only reduce customer help desk calls but also increase customer satisfaction. enhance Accordingly, one embodiment provides an identity cloud service environment that is based on open standards and seamlessly integrates with existing access control software and MFA mechanisms as required. The SaaS delivery model eliminates the time and effort previously spent on system upgrades and maintenance, freeing up IT professional staff to focus on more core business applications.

One embodiment provides privileged account management (“PAM”). Typically, all organizations, whether using SaaS, PaaS, IaaS, or on-premises applications, use insider access credentials for system administrators, executive staff, human resources executives, contractors, system integrators, and other superusers. Vulnerable to unauthorized use of privileged accounts by In addition, external threats typically first compromise low-level user accounts and eventually reach and exploit privileged user access controls within enterprise systems. Accordingly, one embodiment prevents account use by such unauthorized insiders by providing PAM. A key component of a PAM solution is a password vault, which can be provisioned in a variety of ways. It may be provided in a variety of ways, for example, as software installed on a corporate server, as a virtual appliance also on a corporate server, as a packaged hardware/software appliance, or as part of a cloud service. The PAM function is similar to a physical secure location used to store passwords that are kept in an envelope and changed periodically in the manifest for sign-in and sign-out. One embodiment allows for password checkouts as well as setting time limits, forced period changes, automatic checkout tracking, and reporting on all activity. One embodiment provides a way to connect directly to a requested resource without the user knowing the password. This feature also paves the way for session management and other features.

Generally, most cloud services utilize APIs and management interfaces. These provide an opportunity for intruders to bypass security. Accordingly, one embodiment fills these deficiencies in the implementation of PAM. This is because moving to the cloud creates new challenges for PAM. While many small to medium-sized businesses now manage their own SaaS systems (e.g. Office 365), larger enterprises increasingly have individual business units that rotate their own SaaS and IaaS services. ing. These customers have little experience handling this responsibility, although PAM functionality is included in their identity cloud service solution or obtained from their IaaS/PaaS provider. Additionally, in some cases, many different geographically dispersed business units seek to separate management responsibilities for the same SaaS application. Accordingly, one embodiment allows customers in these situations to link their existing PAM into the overall identity framework of the identity cloud service and provide a platform for greater security and compliance as business needs require. This makes it possible to reliably adjust the cloud loading conditions.

An API platform provided by an API platform embodiment exposes a collection of functionality as a service. APIs are aggregated into microservices, and each microservice exposes one or more of the APIs. That is, each microservice may expose different types of APIs. In one embodiment, each microservice only communicates through its API. In one embodiment, each API may be a microservice. In one embodiment, multiple APIs are aggregated into one service based on the target functionality provided by the service (eg, OAuth, SAML, Admin, etc.). As a result, similar APIs are not exposed as separate runtime processes. The API is made available to service consumers to use the services provided by IDCS.

Generally, in the IDCS web environment, a URL includes three parts: a host, a microservice, and a resource (eg, host/microservice/resource). In one embodiment, a microservice is characterized as having a particular URL prefix (eg, "host/oauth/v1"), and the actual microservice is "oauth/v1". There are multiple APIs under "oauth/v1", for example, API for requesting a token: "host/oauth/v1/token", API for authorizing a user: " host/oauth/v1/authorize". That is, the URL implements a microservice, and the resource part of the URL implements an API. Therefore, multiple APIs are aggregated under the same microservice. In one embodiment, the host portion of the URL identifies the tenant (eg, https://tenant3.identity.oraclecloud.com:/oauth/v1/token).

Configuring applications that integrate with external services with the necessary endpoints and keeping the configuration up to date is typically a challenge. To overcome this challenge, embodiments expose a public discovery API to a well-known location from which applications can discover information about the IDCS needed to consume the ADCS API. can. In one embodiment, two discovery documents are supported, including IDCS configuration (e.g., IDCS, SAML, SCIM, OAuth, and OpenID Connect configuration at <IDCS-URL>/.well-known/idcs-configuration). ) and the industry standard OpenID Connect configuration (eg, <IDCS-URL>/.well-known/openid-configuration). Applications can retrieve discovery documents by configuring a single IDCS URL.

FIG. 6 is a block diagram that provides a system view 600 of IDCS in one embodiment. In FIG. 6, any of the various applications/services 602 can use IDCS services by making HTTP calls to the IDCS API. Examples of such applications/services 602 include web applications, native applications (e.g., Windows applications, iOS applications, Android applications, etc.) built to run on a particular operating system. applications), web services, customer applications, partner applications, or Software as a Service (“SaaS”), PaaS, and Infrastructure as a Service (“IaaS”). ) and other services provided by public clouds.

In one embodiment, an application/service 602 HTTP request requesting an IDCS service is routed to the Oracle Public Cloud BIG-IP Appliance 604 and the IDCS BIG-IP Appliance 606 (or similar technology such as a load balancer, or appropriate security rules). A component called a Cloud Load Balancer as a Service (“LBaaS”) that protects traffic through a Cloud Load Balancer as a Service (LBaaS). However, this request may be received in any manner. At the IDCS BIG-IP appliance 606 (or similar technology, such as a load balancer or cloud LBaaS, if applicable), a cloud provisioning engine 608 performs tenant and service coordination. In one embodiment, the cloud provisioning engine 608 manages internal security artifacts associated with new tenants being onboarded to the cloud or new service instances purchased by the customer.

This HTTP request is then received by IDCS web routing layer 610. This routing layer implements a security gate (ie, cloud gate) and provides service routing and microservice registration and discovery 612. Depending on the requested service, the HTTP request is forwarded to IDCS microservices in IDCS middle layer 614. IDCS microservices handle external and internal HTTP requests. IDCS microservices enable platform and infrastructure services. IDCS Platform Services are separately deployed Java-based runtime services that enable the business of IDCS. IDCS infrastructure services are separately deployed runtime services that provide infrastructure support for IDCS. IDCS further includes infrastructure libraries, which are common code packaged as shared libraries used by IDCS services, and shared libraries. Infrastructure services and libraries provide the supporting functionality required by platform services to achieve their functionality.

In one embodiment of the platform service , IDCS supports standard authentication protocols and, therefore, IDCS microservices support OpenID Connect, OAuth, SAML2, System for Cross-domain Identity Management++ ("SCIM++"). ) and other platform services.

The OpenID Connect platform service implements the standard OpenID Connect login/logout flow. Interactive web-based and native applications require user authentication by promoting the standard browser-based OpenID Connect flow and use JavaScript Object Notation to convey the user's authenticated identity. ("JSON") Web Token ("JWT"). Under the hood, the runtime authentication model is stateless and hosts the user's authentication/session state using an HTTP cookie (including the JWT identity token). ). Authentication interactions initiated via the OpenID Connect protocol are delegated to a trusted SSO service that fulfills user login/logout ceremonies for local and federated logins.Further details on this feature is disclosed below with reference to Figures 10 and 11. In one embodiment, the OpenID Connect functionality is implemented, for example, according to the OpenID Foundation standard.

OAuth2 platform services provide token authorization services. It provides a rich API infrastructure for creating and validating access tokens that convey user rights and making API calls. It supports a range of useful token grant types and allows customers to securely connect clients to their services. This implements standard two-party and three-party OAuth2 token grant types. Support for OpenID Connect (“OIDC”) enables compliant applications (OIDC Relay Party (“RP”)) to integrate with IDCS as an identity provider (OIDC OpenID Provider (“OP Similarly, by integrating IDCS as an OIDC RP with social OIDC OPs (e.g., Facebook, Google, etc.), customers can enable policy-based access of social identities to applications. In one embodiment, OAuth functionality is implemented in accordance with, for example, Internet Engineering Task Force (“IETF”) Request for Comments (“RFC”) 6749.

SAML2 platform services provide identity federation services. This allows customers to set up collaboration agreements with their partners based on the SAML identity provider (“IDP”) and SAML service provider (“SP”) relationship model. do. In one embodiment, SAML2 platform services implement standard SAML2 browser post-login and logout profiles. In one embodiment, SAML functionality is implemented according to, for example, IETF, RFC 7522.

SCIM is an open standard for automating the exchange of user identity information between identity domains or information technology (“IT”) systems, such as provided by IETF, RFC 7642, 7643, 7644. be. The SCIM++ platform service provides identity management services and allows customers to access the IDP features of IDCS. The management service exposes a set of stateless REST interfaces (i.e., APIs) that cover identity lifecycle, password management, group management, etc., and exposes artifacts such as web-accessible resources.

All IDCS configuration artifacts are resources, and the Management Service API provides management services for IDCS resources (e.g. users, roles, password policies, applications, SAML/OIDC identity providers, SAML service providers, keys, certificates, notification templates, etc.). enable. The Management Service enhances and extends the SCIM standard to provide Create, Read, Update, Delete, and Query (“CRUDQ”) operations on all IDCS resources. Implements a schema-based REST API for In addition, all internal resources of IDCS used to manage and configure IDCS itself are exposed as SCIM-based REST APIs. Access to identity store 618 is separated to the SCIM++ API.

In one embodiment, for example, the SCIM standard is implemented to manage user and group resources defined by the SCIM standard, whereas SCIM++ is implemented to manage user and group resources defined by the SCIM standard, while SCIM++ uses the language defined by the SCIM standard to manage further IDCS Configured to support internal resources (e.g. password policies, roles, settings, etc.)

The management service supports SCIM 2.0 standard endpoints using the standard SCIM 2.0 core schema and optional schema extensions. In addition, the management service supports several SCIM 2.0 compliant endpoint extensions to manage other IDC resources, such as users, groups, applications, settings, etc. The management service also provides a remote procedure call-style ("RPC-style") REST interface that does not perform CRUDQ operations but instead provides functional services, such as "UserPasswordGenerator", "UserPasswordValidator", etc. supports a set of

The IDCS management API uses the OAuth2 protocol for authentication and authorization. IDCS supports common OAuth2 scenarios such as those for web servers, mobile, and JavaScript applications. Access to the IDCS API is protected by access tokens. In order to access the IDCS management API, an application must be registered as an OAuth2 client or as an IDCS application (in which case the OAuth2 client is automatically created) through the IDCS management console, and must have the desired IDCS management role. need to be given. When making an IDCS management API call, an application first requests an access token from the IDCS OAuth2 service. After obtaining this token, the application sends an access token with an HTTP authorization header included in it. Applications can use the IDCS management REST API directly or can use the IDCS Java client API library.

Infrastructure Services IDCS infrastructure services support the functionality of IDCS platform services. These runtime services include event processing services (for asynchronously processing user notifications, application subscriptions, and audits against databases) and event processing services (for scheduling and running jobs, for example, for long runs that do not require user intervention). A job scheduler service (to run timed tasks immediately or at set times), a cache management service (to integrate with public cloud storage services), and a storage management service (to generate reports and dashboards) reporting services (for managing internal user authentication and SSO); and reporting services (for managing internal user authentication and SSO); ”) service and a service manager service. Service Manager is the internal interface between Oracle Public Cloud and IDCS. The Service Manager manages commands issued by Oracle Public Cloud, which need to be fulfilled by IDCS. For example, if a customer signs up for an account in a cloud store before they are ready to purchase something, the cloud sends a request to IDCS to create a tenant. In this case, the service manager implements cloud-specific operations that the cloud expects the IDCS to support.

An IDCS microservice may call another IDCS microservice through a network interface (ie, an HTTP request).

In one embodiment, IDCS may also provide a schema service (or persistence service) that allows database schemas to be used. The Schema Service allows the responsibility of managing database schemas to be delegated to IDCS. Therefore, IDCS users do not need to manage a database. This is because IDCS services exist that provide this functionality. For example, a user might use a database to persist schemas on a per-tenant basis, and when the database runs out of space, the schema service can create another database so that the user does not have to manage the database himself. Manage the function of acquiring and expanding the above space.

The IDCS further includes a data store, which is a data repository that the IDCS requires/generates. This includes an identity store 618 (which stores users, groups, etc.), a global database 620 (which stores configuration data that IDCS uses to configure itself), and a global database 620 (which stores schemas for each tenant and customer data for each customer). an operational schema 622 (to store audit data), an audit schema 624 (to store audit data), a caching cluster 626 (to increase implementation speed by storing cached objects), and so on. All internal and external IDCS consumers are integrated with the identity service according to standards-based protocols. This allows the domain name system (“DNS”) to be used to determine where a request should be routed, removing consuming applications from understanding the internal implementation of the identity service. Let go.

Real-time and near-real-time tasks IDCS separates the tasks of the requested service into synchronous real-time tasks and asynchronous near-real-time tasks. Real-time tasks include only the operations necessary for the user to proceed. In one embodiment, real-time tasks are tasks that run with minimal delay, and near-real-time tasks are tasks that run in the background without the user having to wait. In one embodiment, a real-time task is one that executes with substantially no or very little delay and appears to the user to be executed almost instantaneously.

Real-time tasks perform the primary business functions of a particular identity service. For example, when requesting login services, an application sends a message to authenticate the user's credentials and obtain a session cookie for them. What the user experiences is logging into the system. However, several other tasks may be performed regarding a user's login, such as verifying who the user is, auditing, sending notifications, etc. Credential validation is thus a task performed in real-time, such as when a user is given an HTTP cookie to begin a session, but also when notifications (e.g. sending an email to notify account creation), audits, etc. Tasks related to (e.g., tracking/recording) etc. are near real-time tasks that can be performed asynchronously so that the user can proceed with minimal delay.

When an HTTP request for a microservice is received, the corresponding real-time task is executed by the middle-tier microservice, and the remaining near-real-time tasks, such as computational logic/events that do not necessarily undergo real-time processing, are placed in the message queue 628. Offloaded. Message queue 628 supports a highly scalable asynchronous event management system 630 with guaranteed delivery and processing. Thus, certain behaviors are pushed from the front end to the back end, allowing the IDCS to provide a high level of service to customers with less latency in response time. For example, the login process may include verifying credentials, submitting log reports, updating the last login time, etc., but these tasks can be offloaded to a message queue and performed in near real-time rather than real-time. Can be done.

In one example, the system may need to register or create a new user. The system calls the IDCS SCIM API to create a user. The end result is that when a user is created in the identity store 618, the user receives a notification email containing a link to reset their password. When the IDCS receives a request to register or create a new user, the corresponding microservice looks at the configuration data in the operational database (located within the global database 620 in Figure 6) and performs a "User Created" ” is marked in the “user created” event. This operation is identified in the configuration data as an asynchronous operation. The microservice returns to the client and indicates that the user creation was successful, but the actual sending of the notification email is deferred and pushed to the backend. To do so, the microservice uses messaging API 616 to place this message into a store, queue 628.

To populate the queue 628, the infrastructure microservice, the messaging microservice, runs continuously in the background and scans the queue 628 looking for events in the queue 628. Events in queue 628 are processed by event subscribers 630, such as audits, user notifications, application subscriptions, data analysis, etc. Depending on the task indicated by the event, event subscriber 630 may communicate with audit schema 624, user notification service 634, identity event subscriber 632, etc., for example. For example, if the messaging microservice finds a "user created" event in queue 628, it executes the corresponding notification logic and sends a corresponding email to the user.

In one embodiment, queue 628 queues operational events published by microservices 614 and resource events published by APIs 616 that manage IDCS resources.

IDCS uses real-time caching structures to improve system performance and user experience. The cache itself is also provided as a microservice. IDCS implements an elastic cache cluster 626 that grows as the number of customers supported by IDCS increases. Cache cluster 626 may be implemented with a distributed data grid, which is disclosed in more detail below. In one embodiment, write-only resources bypass the cache.

In one embodiment, the IDCS runtime component publishes health and operational metrics to a public cloud monitoring module 636 that collects such metrics for a public cloud, such as Oracle's Oracle Public Cloud.

In one embodiment, IDCS may be used to create users. For example, client application 602 may issue a REST API call to create a user. The Admin service (platform service at 614) delegates this call to the user manager (infrastructure library/service at 614). The user manager then creates this user in the tenant specific ID store stripe within ID store 618. If “User Create Success”, the user manager audits the table in the audit schema 624 by auditing the operation and publishes “identity.user.create.success” to the message queue 628. do. Identity subscriber 632 picks up this event and sends a "welcome" email to the newly created user containing the newly created login details.

In one embodiment, IDCS may be used to provide roles to users so that they can be provisioned with actions. For example, client application 602 may issue a REST API call to grant a role to a user. The Management Service (Platform Services at 614) may delegate this call to the Role Manager (Infrastructure Libraries/Services at 614). This role manager grants roles in the ID store stripe for a particular tenant within ID store 618. In the case of “Role Grant Success,” the role manager audits the operation on the audit table in the audit schema 624 and publishes “identity.user.role.grant.success” to the message queue 628. Identity subscriber 632 picks up this event and evaluates the provisioning policy. If there is an active application grant for the role being granted, the provisioning subscriber performs some validation, initiates account creation, calls out to the target system, creates an account on the target system, and the account creation is successful. Mark it as done. Each of these functions results in a corresponding response such as "prov.account.create.initiate", "prov.target.create.initiate", "prov.target.create.success" or "prov.account.create.success". events that occur may end up being published. These events may have their own business metrics that sum the number of accounts created on the target system over the last N days.

In one embodiment, IDCS can be used for user login. For example, client application 602 may request a user login using one of the supported authentication flows. IDCS authenticates the user and, if successful, audits the operations on the audit tables in audit schema 624. Upon failure, IDCS audits the failure in audit schema 624 and publishes a "login.user.login.failure" event in message queue 628. The login subscriber picks up this event, updates its metrics for the user, and decides whether it needs to perform additional analysis on the user's access history.

Therefore, by providing an "inversion of control" capability (e.g., scheduling the execution of an operation at a later point in time by changing the flow of execution, such that the operation is under the control of another system). , Embodiments can dynamically add other event queues and subscribers to test new features on a small sample of users before deploying them to a broader user base, or for specific internal or external customers. be able to handle specific events for.

Stateless Functionality IDCS microservices are stateless. This means that microservices themselves do not maintain state. "State" refers to data that an application uses to perform its functions. IDCS provides multi-tenancy functionality by persisting all state to tenant-specific repositories within the IDCS data layer. The middle tier (ie, the code that processes requests) does not have data stored in the same location as the application code. Therefore, IDCS is highly scalable both horizontally and vertically.

Vertical scaling (or scaling up/down) means adding resources to (or removing resources from) one node in the system, adding more CPU or memory to one computer It is generally accompanied by Vertical scalability allows applications to scale up to the limits of their hardware. Horizontal scaling (or scaling out/in) means adding more nodes to (or removing nodes from) a system, such as adding a new computer to a distributed software application. . Lateral scalability allows applications to scale almost infinitely, limited only by the amount of bandwidth provided by the network.

The stateless nature of the IDCS middle layer allows it to be horizontally scalable by simply adding more CPUs, and the IDCS components that perform the work of an application can access the specified physical infrastructure on which a particular application is running. There's no need to have it. The statelessness of the IDCS middle layer makes the IDCS highly available even when providing identity services to a large number of customers/tenants. Each path through the IDCS application/service is dedicated to CPU usage to perform application transactions, but does not use hardware to store data. Scaling is achieved by adding more slices while the application is running, while transactional data is stored in a persistence layer that can add more copies as needed.

The IDCS web tier, middle tier, and data tier are each independently and separately scalable. By scaling the web tier, more HTTP requests can be handled. By scaling the middle tier, more service functionality can be supported. You can support more tenants by scaling your data tier.

IDCS Functional View FIG. 6A is an example block diagram 600b of a functional view of IDCS in one embodiment. In block diagram 600b, the IDCS functional stack includes services, shared libraries, and data stores. The services include IDCS platform services 640b, IDCS premium services 650b, and IDCS infrastructure services 662b. In one embodiment, IDCS platform services 640b and IDCS premium services 650b are separately deployed Java-based runtime services that enable the business of IDCS. IDCS infrastructure service 662b is a separately deployed runtime service that provides infrastructure support for IDCS. The shared libraries include the IDCS infrastructure library 680b, which is common code packaged as a shared library used by IDCS services, and shared libraries. The data stores are the data repositories required/generated by IDCS: identity store 698b, global configuration 700b, message store 702b, global tenant 704b, personalization settings 706b, resources 708b, user temporary data 710b, system temporary data 712b. , a schema (managed ExaData) 714b for each tenant, an operational store (not shown), a caching store (not shown), and the like.

In one embodiment, IDCS platform services 640b include, for example, OpenID Connect service 642b, OAuth2 service 644b, SAML2 service 646b, and SCIM++ service 648b. In one embodiment, IDCS premium services include, for example, cloud SSO and governance 652b, enterprise governance 654b, AuthN broker 656b, federation broker 658b, and private account management 660b.

IDCS infrastructure services 662b and IDCS infrastructure library 680b provide support for the functionality needed by IDCS platform services 640b to perform its work. In one embodiment, IDCS infrastructure services 662b include job scheduler 664b, UI 666b, SSO 668b, reporting 670b, cache 672b, storage 674b, service manager 676b (public cloud control), and event processor 678b (user notification, application subscription, auditing, etc.). , data analysis). In one embodiment, the IDCS infrastructure library 680b includes a data manager API 682b, an event API 684b, a storage API 686b, an authentication API 688b, an authorization API 690b, a cookie API 692b, a key API 694b, and a credential API 696b. In one embodiment, cloud computing service 602b (internal Nimbula) supports the functionality of IDCS infrastructure service 662b and IDCS infrastructure library 680b.

In one embodiment, IDCS provides various UIs 602b for consumers of IDCS services, such as a customer end user UI 604b, a customer administration UI (admin UI) 606b, a DevOps administration UI 608b, and a login UI 610b. In one embodiment, IDCS enables application (eg, customer application 614b, partner application 616b, and cloud application 618b) integration 612b and firmware integration 620b. In one embodiment, various environments may be integrated with IDCS to support their access control needs. Such integration is provided, for example, by identity bridge 622b (which provides AD integration, WNA, and SCIM connectors), Apache agent 624b, or MSFT agent 626b.

In one embodiment, internal and external IDCS consumers are integrated with IDCS's identity services for standards-based protocols 628b, such as OpenID Connect 630b, OAuth2 632b, SAML2 634b, SCIM 636b, and REST/HTTP 638b. This allows the domain name system (“DNS”) to be used to determine where to route requests, separating application consumption from understanding the internal realization of identity services. .

The IDCS functional view of FIG. 6A further shows that IDCS provides user notifications (Cloud Notification Service 718b), file storage (Cloud Storage Service 716b), and metrics/alerts for DevOPs (Cloud Monitor Service (EM) 722b and Cloud Metrics Service). (Graphite) 720b) includes public cloud infrastructure services that provide common functionality upon which it relies.

Cloud Gate In one embodiment, IDCS implements "Cloud Gate" at the web layer. Cloud Gate is a web server plugin that allows web applications to externalize user SSO to an identity management system (e.g. IDCS), similar to WebGate or WebAgent technologies that work with enterprise IDM stacks. . Cloud Gate acts as a security gatekeeper that secures access to the IDCS API. In one embodiment, Cloud Gate is implemented by a web/proxy server plugin that provides a Web Policy Enforcement Point (“PEP”) to secure HTTP resources based on OAuth.

FIG. 7 is a block diagram 700 of an embodiment implementing Cloud Gate 702. Cloud Gate 702 runs within a web server 712 and acts as a policy enforcement point (“PEP”). The Policy Enforcement Point is integrated with an IDCS Policy Decision Point (“PDP”) that uses open standards (e.g., OAuth2, OpenID Connect, etc.) while providing web browser and application access to REST API resources 714. Configured to be secure. In some embodiments, PDP is implemented with OAuth and/or OpenID Connect microservices 704. For example, when a user browser 706 sends a request to the IDCS to log in for a user 710, the corresponding IDCS PDP verifies the credentials and then determines whether the credentials are sufficient (e.g., a second password, etc.). determine whether to request credentials). In the embodiment of FIG. 7, Cloud Gate 702 has a local policy, so it can serve as both a PEP and a PDP.

As part of the one-time deployment, Cloud Gate 702 registers IDCS as an OAuth2 client, which allows it to request OIDC and OAuth2 operations from IDCS. This then holds configuration information about the application's protected and unprotected resources that are subject to request matching rules (how URLs are matched against e.g. wildcards, regular expressions, etc.). do. By deploying Cloud Gate 702, different applications with different security policies can be protected, and the protected applications may be multi-tenant.

During browser-based user access, Cloud Gate 702 acts as an OIDC RP 718 that initiates the user authentication flow. If the user 710 does not have a valid local user session, Cloud Gate 702 redirects the user to the SSO microservice and participates in the OIDC "authorization code" flow with the SSO microservice. This flow ends with the delivery of the JWT as an identity token. Cloud Gate 708 validates the JWT (eg, noting signature, expiration, destination/audience, etc.) and issues a local session cookie for user 710. It functions as a session manager 716 that secures web browser access to protected resources and issues, updates, and validates local session cookies. This also provides a logout URL for deletion of that local session cookie.

Cloud Gate 702 also acts as an HTTP Basic Auth authenticator and verifies HTTP Basic Auth credentials against IDCS. This behavior is supported in sessionless and session-based (local session cookie) modes. In this case, no server-side IDCS session is created.

During programmatic access by REST API client 708, Cloud Gate 702 may act as an OAuth2 resource server/filler 720 for the application's protected REST API 714. This checks whether the request exists for the authorization header and access token. When a client 708 (e.g., mobile, web application, JavaScript, etc.) presents an access token (issued by IDCS) for use with the protected REST API 714, Cloud Gate 702 grants access to the API. Validate access tokens beforehand (e.g. signature, expiration, audience, etc.). The original access token is sent without modification.

Generally, OAuth is used to generate client identity propagation tokens (eg, indicating who the client is) or user identity propagation tokens (eg, indicating who the user is). In this embodiment, the implementation of OAuth in Cloud Gate is based on JWT, which defines the format of web tokens, such as that provided by IETF, RFC7519.

When a user logs in, a JWT is issued. The JWT is signed by IDCS and supports multi-tenancy functionality in IDCS. Cloud Gate enables multi-tenancy functionality in IDCS by validating JWTs issued by IDCS. Thus, IDCS provides multi-tenancy both in the physical structure and in the logical business processes that support the security model.

Types of Tenancy IDCS specifies three types of tenancy: customer tenancy, client tenancy, and user tenancy. Customer or resource tenancy identifies who the customer of the IDCS is (ie, for whom the work is being performed). Client tenancy identifies which client applications are attempting to access data (ie, which applications are performing work). User tenancy identifies which users are using the application to access data (ie, by whom the work is being performed). For example, when a professional services company uses IDCS to provide system integration functionality for a large discount store and to provide identity management for this large discount store's systems, the user tenancy is equivalent to the professional services company. However, the client tenancy corresponds to the application used to provide system integration functionality, and the customer tenancy is a large discount store.

Separating and integrating these three tenancies enables multi-tenant functionality in cloud-based services. Generally, for on-premises software installed on on-premises physical machines, there is no need to specify these three tenancies. This is because the user must be physically present on the machine to log in. However, in the case of a cloud-based service structure, embodiments have tokens to determine who uses which applications to access which resources. The three tenancies are codified by tokens, enforced by Cloud Gate, and used by mid-tier business services. In one embodiment, an OAuth server generates the token. In various embodiments, this token may be used with security protocols other than OAuth.

The separation of users, clients, and resource tenancies provides substantial business benefits to users of IDCS-provided services. For example, by doing so, a service provider that understands the needs of a business (e.g. a health business) and its identity management issues can purchase services provided by IDCS and develop its own back-end applications that consume the services of IDCS. You can then provide this backend application to your target business. Thus, service providers can extend the services of the IDCS to provide their desired functionality and target them to specific target businesses. Service providers are not required to build and run software to provide identity services, but can instead extend and customize the IDCS's services to suit the needs of their target business.

Some known systems only account for a single tenancy, the customer tenancy. However, such systems are inadequate when handling access by a combination of users, such as a customer user, a partner of the customer, a client of the customer, the client itself, or a client to whom access has been delegated by the customer. By defining and enforcing multiple tenancies in this embodiment, it becomes easier to specify management functions for these diverse users.

In one embodiment, one entity in the IDCS does not belong to multiple tenants at the same time, but only one tenant, and the "tenancy" is where the artifacts reside. Generally, there are multiple components that implement a particular functionality, and these components can belong to multiple tenants or belong to an infrastructure. The infrastructure interacts with entity services on behalf of the tenant when it needs to act on behalf of the tenant. In this case, the infrastructure itself has its own tenancy and the customer has its own tenancy. When a request is submitted, there are multiple tenancies associated with this request.

For example, a client belonging to "Tenant 1" may issue a request to obtain a token for "Tenant 2" that specifies a user in "Tenant 3." As another example, a user residing in "Tenant 1" may need to perform an action in an application owned by "Tenant 2." Therefore, the user needs to go to the "Tenant 2" resource namespace and request a token for it. Therefore, delegation of authority is achieved by specifying who can do what, and to whom. As another example, a first user working for a first organization ("Tenant 1") may be working for a second organization ("Tenant 2"), and a second user working for a second organization ("Tenant 2") may be working for a third organization ("Tenant 2"). "Tenant 3") may be permitted to access documents hosted by Tenant 3.

In one example, a client in "Tenant 1" may request an access token for a user in "Tenant 2" to access an application in "Tenant 3." The client may request the token by going to "http://tenant3/oauth/token" and calling an OAuth request for this token. The client identifies itself as a client residing in "Tenant 1" by including a "client assertion" in the request. This client assertion includes a client ID (eg, "Client 1") and a client tenancy ("Tenant 1"). As "Client 1" of "Tenant 1", the client has the right to invoke a request for a token for "Tenant 3" and desires a token for a user of "Tenant 2". Therefore, the "user assertion" is also sent as part of the same HTTP request. The access token that is generated is issued in the context of the target tenancy, which is the application tenancy ("Tenant 3") and includes the user tenancy ("Tenant 2").

In one embodiment, each tenant in the data layer is implemented as an independent stripe. From a data management perspective, artifacts reside in the tenant. From a service perspective, services know how to work with disparate tenants, and multiple tenancy is a different dimension in a service's business capabilities. FIG. 8 illustrates an example system 800 that implements multiple tenancy in certain embodiments. System 800 includes a client 802 that requests services provided by microservices 804 that understand how to work with data in database 806. The database includes multiple tenants 808, each tenant including artifacts for the corresponding tenancy. In one embodiment, microservice 804 is an OAuth microservice that is requested through https://tenant3/oauth/token to obtain a token. The functionality of the OAuth microservice is executed in the microservice 804 using data from the database 806 to verify whether the request of the client 802 is legitimate, and if so, a different tenancy 808 is performed. The data from is used to construct the token. Thus, system 800 is multi-tenant in that it is capable of working in a cross-tenant environment by supporting services that are provided to each tenancy as well as services that can act on behalf of various tenants.

System 800 is advantageous. The reason is as follows. Microservices 804 are physically separated from the data in database 806, and by replicating data through a location closer to the client, microservices 804 can be provided as local services to clients, and system 800 You can manage the availability of your services and provide them globally.

In one embodiment, microservices 804 are stateless. This means that the machine running microservice 804 does not maintain a marker that indicates a service for a particular tenant. Alternatively, the tenancy may be marked, for example, in the host portion of the URL of the incoming request. This tenancy indicates one of the tenants 808 of database 806. When supporting a large number of tenants (eg, millions of tenants), microservices 804 cannot have the same number of connections to database 806. Microservice 804 instead uses connection pool 810, which provides an actual physical connection to database 806 in the context of a database user.

Typically, connections are established by providing a connection string to the underlying driver or provider. The connection string is used to address a particular database or server and to provide instance and user authentication credentials (for example, "Server=sql_box;Database=Common;User ID=uid;Pwd=password; ”). Once a connection is established, it can be opened and closed, and properties (eg, command timeout length, or transaction, if present) can be set. The connection string includes a set of key-value pairs as directed by the data provider's data access interface. A connection pool is a cache of database connections that is maintained so that connections can be reused when future requests to the database are needed. In connection pooling, connections are placed in a pool after they are created and reused so that new connections do not have to be established. For example, if 10 connections are required between a microservice 804 and a database 808, the connection pool 810 contains information about who owns this connection, all in the context of a database user (e.g., in relation to a particular database user). There will be 10 open connections (related to who the user is, whose credentials are being verified, are they database users, are they system credentials, etc.).

Connections in connection pool 810 are created for system users who can access anything. Therefore, to properly handle auditing and privileges by microservices 804 processing requests on behalf of a tenant, database operations are performed in the context of a "proxy user" 812 associated with the schema owner assigned to a particular tenant. Ru. This schema owner has access only to the tenancy for which this schema was created, and the value of this tenancy is the value of this schema owner. When a request is made for data in database 806, microservice 804 serves this data using connections in connection pool 810. Multi-tenancy is thus a tenant-specific data store binding built for each request on top of a data connection created in the context of (e.g. in conjunction with) a data store proxy user associated with the resource tenancy. By having a stateless, elastic middle-tier service that processes incoming requests in the context of (e.g., relative to) the database can scale independently of the service.

The following provides examples of functionality for implementing proxy users 812.

In this feature, microservice 804 uses a database connection in connection pool 810 while setting the "Proxy User" setting for the connection drawn from connection pool 810 to "Tenant." and perform data operations in the context of a tenant.

When configuring different columns for different tenants in the same database by striping all tables, one table may contain data for all tenants mixed. In contrast, one embodiment provides a tenant-driven data layer. This embodiment provides different physical databases for each tenant, rather than striping the same database for different tenants. For example, multi-tenancy may be achieved using a pluggable database (eg, Oracle Database 12c), where each tenant is assigned a separate partition. In the data layer, resource managers process requests and then ask for the data source for that request (apart from the metadata). The present embodiment performs a runtime switch to each data source/store on a per-request basis. By separating each tenant's data from other tenants, this embodiment provides improved data security.

In one embodiment, different tokens coordinate different tenancies. The URL token may identify the tenancy of the application requesting the service. The identity token may codify the identity of the user to be authenticated. Access tokens may specify multiple tenancies. For example, an access token may codify the tenancy that is the target of such access (eg, application tenancy) and the user tenancy of the user granted access. The client assertion token may identify the client ID and client tenancy. A user assertion token may identify a user and user tenancy.

In one embodiment, the identity token includes at least a "claim/statement" indicating the user tenant name (ie, where the user resides). A "claim" (as used by those skilled in the security art) in connection with an authentication token is a statement that one entity makes about itself or another entity. The statements may be about names, identities, keys, groups, permissions, or capabilities, for example. Claims are issued by a provider, provided with one or more values, and then packaged into a security token issued by the issuer, commonly known as a security token service (“STS”). be done.

In one embodiment, the access token includes at least a claim/statement indicating the resource tenant name (e.g., customer) at the time the request for the access token was made, a claim indicating the user tenant name, and the requesting OAuth client. It includes a claim indicating the name and a claim indicating the client tenant name. In one embodiment, the access token may be implemented according to the following JSON functions.

In one embodiment, the client assertion token includes at least a claim indicating the client tenant name and a claim indicating the name of the requesting OAuth client.

The tokens and/or multiple tenancies described herein may be implemented by any multi-tenant cloud-based service other than IDCS. For example, the tokens and/or multiple tenancies described herein may be implemented in a SaaS or Enterprise Resource Planning ("ERP") service.

FIG. 9 is a block diagram of a network view 900 of IDCS in one embodiment. FIG. 9 illustrates network interactions that occur between application "zones" 904 in one embodiment. Applications are divided into zones (eg, SSL zones, no SSL zones, etc.) based on the level of protection required and the ability to connect to various other systems. Some of the application zones are application zones that provide services that require access from inside IDCS, some are application zones that provide services that require access from outside IDCS, and some are open access. . Therefore, each protection level is enhanced for each zone.

In the embodiment of FIG. 9, communication between services is done using HTTP requests. In one embodiment, the IDCS uses the access tokens described herein to not only provide services, but also to secure access to and within the IDCS itself. In one embodiment, the IDCS microservice is exposed through a RESTful interface and secured with the tokens described herein.

In the embodiment of FIG. 9, any one of the various applications/services 902 may use the IDCS service by making an HTTP call to the IDCS API. In one embodiment, the application/service 902 HTTP request is sent to an Oracle public cloud load balancing external virtual IP address (“VIP”) 906 (or other similar technology), a public cloud web routing layer 908, and an IDCS load balancing internal VIP. It may be received by IDCS web routing layer 912 through appliance 910 (or other similar technology). IDCS web routing layer 912 receives requests from outside or inside IDCS and routes them through IDCS platform services layer 914 or IDCS infrastructure services layer 916. The IDCS platform services layer 914 includes IDCS microservices called from outside of IDCS, such as OpenID Connect, OAuth, SAML, and SCIM. IDCS infrastructure services layer 916 includes support microservices called from within IDCS to support the functionality of other IDCS microservices. Examples of IDCS infrastructure microservices are UI, SSO, reporting, cache, job scheduler, service manager, functions for creating keys, etc. IDCS cache layer 926 supports caching functions for IDCS platform services layer 914 and IDCS infrastructure services layer 916.

By enhancing the security of both external and internal IDCS access, IDCS customers can be provided with outstanding security compliance for the applications they run.

In the embodiment of FIG. 9, the OAuth protocol is used except for the data layer 918, which communicates based on Structured Query Language ("SQL"), and the identity store layer 920, which communicates based on LDAP. The same tokens used to secure communications between IDCS components (eg, microservices) within the IDCS and secure access from outside the IDCS are also used for security within the IDCS. That is, the web routing layer 912 uses the same tokens and protocols to process requests it receives, whether the requests are received from outside the IDCS or from within the IDCS. IDCS thus enables outstanding security compliance by providing one consistent security model to protect the entire system. This is because the fewer security models implemented within a system, the more secure the system will be.

In an IDCS cloud environment, applications communicate by making network calls. The network call may be based on an applicable network protocol such as HTTP, Transmission Control Protocol ("TCP"), User Datagram Protocol ("UDP"), or the like. For example, application "X" may communicate with application "Y" based on HTTP by exposing application "Y" as an HTTP Uniform Resource Locator ("URL"). . In one embodiment, "Y" is an IDCS microservice that exposes multiple resources, each corresponding to a certain functionality. When "X" (e.g. another IDCS microservice) needs to call "Y", it constructs a URL containing "Y" and the resource/function it needs to call (e.g. https:/host/ Y/resource), makes a corresponding REST call that is routed to “Y” through the web routing layer 912.

In one embodiment, the caller outside of IDCS may not need to know where "Y" is, but the web routing layer 912 needs to know where application "Y" is running. In one embodiment, IDCS implements a discovery function (implemented by an OAuth service) to determine where each application is running so that the availability of static routing information is no longer required.

In one embodiment, an enterprise manager ("EM") 922 provides a "single pane of glass" that extends on-premises and cloud-based management to IDCS. In one embodiment, Chef Software's configuration management tool, Chef server 924, provides configuration management functionality for the various IDCS layers. In one embodiment, the service deployment infrastructure and/or persistent storage module 928 sends OAuth2 HTTP messages to the IDCS web routing layer 912 for tenant lifecycle management operations, public cloud lifecycle management operations, or other operations. You may. In one embodiment, IDCS infrastructure services layer 916 may send the ID/password HTTP message to public cloud notification service 930 or public cloud storage service 932.

Cloud access control - SSO
One embodiment supports lightweight cloud standards to achieve cloud-scale SSO services. Examples of lightweight cloud standards include HTTP, REST, and standards that provide access through a browser (because web browsers are lightweight). Conversely, SOAP is an example of a heavy cloud standard that requires more management, configuration, and tooling to build clients. This embodiment requests user authentication from IDCS by using OpenID Connect semantics for the application. The present embodiment uses lightweight HTTP cookie-based user session tracking to track users' active sessions in IDCS without stateful server-side session support. The present embodiment uses a JWT-based identity token when mapping an authenticated identity back to its local session for the consuming application. This embodiment supports integration with federated identity management systems and exposes SAML IDP support for enterprise deployments to require user authentication to IDCS.

FIG. 10 is a block diagram 1000 of a system architecture view of SSO functionality within IDCS in one embodiment. This embodiment allows client applications to promote standards-based web protocols to initiate user authentication flows. Applications that require SSO integration with cloud systems may reside in corporate data centers, remote partner data centers, or may be operated by on-premises customers. In one embodiment, different IDCS platform services are connected to OpenID Connect for processing login/logout requests from connected native applications (i.e., applications that utilize OpenID Connect to integrate with IDCS). A SAML IDP service for handling browser-based login/logout requests from applications with IDCS, a SAML SP service for coordinating user authentication to external SAML IDPs, and a local or federated login flow. Enable SSO business, such as internal IDCS SSO services for coordinating end-user login ceremonies for managing host session cookies. Generally, HTTP works with or without forms. When working with a form, this form is the form that is visible within the browser. When working without forms, this acts as a communication from client to server. Both OpenID Connect and SAML require the ability to render forms, but this is accomplished through the presence of a browser, or is performed virtually by an application that functions as if a browser were present. In one embodiment, an application client that achieves user authentication/SSO through IDCS needs to register as an OAuth2 client in IDCS and obtain a client identifier and credentials (e.g., ID/password, ID/certificate, etc.) There is a need.

The example embodiment of FIG. 10 uses three components/microservices that collectively provide login functionality, including OAuth2 1004 and SAML2 1006 as two platform microservices and SSO 1008 as one infrastructure microservice. include. In the embodiment of FIG. 10, IDCS provides an "identity metasystem." In this metasystem, SSO services 1008 are provided for different types of applications. These applications are browser-based web or native applications 1010, 2 that require a three-way OAuth flow and act as an OpenID Connect relaying party (“RP”, an application that outsources its user authentication functions to an IDP). These include a native application 1011 that requires inter-user OAuth flow and functions as an OpenID Connect RP, and a web application 1012 that functions as a SAML SP.

In general, an identity metasystem is an interoperable architecture for digital identity that allows for the use of a collection of multiple underlying technologies, implementations, and providers. LDAP, SAML, and OAuth are examples of different security standards that provide identity functionality and can be the basis for building applications, and an identity metasystem is a unified and The security system may be configured to provide a secure security system. The LDAP security model specifies specific mechanisms for handling identities, and all paths through the system must be strictly protected. SAML was developed to allow one set of applications to securely exchange information with another set of applications belonging to different organizations in different security domains. Since there is no trust between these two applications, SAML was developed to allow one application to authenticate another application that does not belong to the same organization. OAuth provides OpenID Connect, a lightweight protocol for performing web-based authentication.

In the embodiment of FIG. 10, when an OpenID application 1010 connects to an OpenID server in the IDCS, its "channel" requests SSO service. Similarly, when a SAML application 1012 connects to a SAML server in IDCS, its "channel" also requests SSO services. In IDCS, each microservice (eg, OpenID microservice 1004 and SAML microservice 1006) processes a respective application, and these microservices require SSO functionality from SSO microservice 1008. This architecture can be extended to support any number of other security protocols by adding microservices for each protocol and then using SSO microservices 1008 for SSO functionality. The SSO microservice 1008 issues sessions (ie, is provided with the SSO cookie 1014) and is the only system authorized to issue sessions in this architecture. The IDCS session is realized by browser 1002 using SSO cookie 1014. Browser 1002 also uses local session cookies 1016 to manage its local session.

In one embodiment, for example, within a browser, a user logs in using a first application based on SAML and then uses a second application built using a different protocol, such as OAuth. Good too. The user is given SSO on a second application within the same browser. Therefore, the browser is the state or user agent and manages cookies.

In one embodiment, SSO microservices 1008 provide login ceremony 1018, ID/password recovery 1020, first login flow 1022, authentication manager 1024, HTTP cookie manager 1026, and event manager 1028. Login ceremony 1018 implements SSO functionality based on customer settings and/or application context and may be configured according to local forms (eg, Basic Auth), external SAML IDP, external OIDC IDP, etc. ID/Password Recovery 1020 is used to recover a user's ID and/or password. The first login flow 1022 is implemented when the user logs in for the first time (ie, no SSO session exists yet). Authentication manager 1024 issues an authentication token upon successful authentication. HTTP cookie manager 1026 stores the authentication token in an SSO cookie. Event manager 1028 publishes events related to SSO functionality.

In one embodiment, the interaction between OAuth microservice 1004 and SSO microservice 1008 is based on browser redirects, where SSO microservice 1008 queries the user using an HTML form, validates credentials, and uses session cookies. Issue.

In one embodiment, for example, OAuth microservice 1004 receives authentication requests from browser 1002 and authenticates users of the application according to a three-way OAuth flow. Thus, OAuth microservice 1004 acts as an OIDC provider 1030 and redirects browser 1002 to SSO microservice 1008 to follow the application context. Depending on whether the user has a valid SSO session, the SSO microservice 1008 either validates the existing session or performs a login ceremony. Upon successful authentication or verification, SSO microservice 1008 returns an authentication context to OAuth microservice 1004. The OAuth microservice 1004 then redirects the browser 1002 to the authorization (callback URL with the "AZ" code. The browser 1002 sends the AZ code to the OAuth microservice 1004 and requests the necessary token 1032. The browser 1002 includes its client credentials (obtained when registering IDCS as an OAuth2 client) in the HTTP authorization header. In response, the OAuth microservice 1004 provides the requested token 1032 to the browser 1002. One embodiment In , the token 1032 provided to the browser 1002 includes a JW identity and an access token signed by the IDCS OAuth2 server. Further details of this functionality are disclosed below with reference to FIG. 11.

In one embodiment, for example, OAuth microservice 1004 receives authorization requests from native application 1011 and authenticates users according to a two-party OAuth flow. In this case, the authentication manager 1034 of the OAuth microservice 1004 performs the corresponding authentication (for example, based on the ID/password received from the client 1011), and the token manager 1036 issues the corresponding access token if the authentication is successful. .

In one embodiment, for example, SAML microservice 1006 receives an SSO POST request from a browser and authenticates a user of web application 1012 acting as a SAML SP. SAML microservice 1006 then acts as SAML IDP 1038 and redirects browser 1002 to SSO microservice 1008 and follows the application context. Depending on whether the user has a valid SSO session, the SSO microservice 1008 either validates the existing session or performs a login ceremony. Upon successful authentication or validation, SSO microservice 1008 returns an authentication context to SAML microservice 1006. The SAML microservice then redirects to the SP with the required token.

In one embodiment, for example, SAML microservice 1006 may function as a SAML SP 1040 and may go to a remote SAML IDP 1042 (e.g., active directory federation service ("ADFS"). In one embodiment implements a standard SAML/AD flow. In one embodiment, the interaction between SAML microservice 1006 and SSO microservice 1008 is based on browser redirects, and SSO microservice 1008 uses an HTML form. queries the user, verifies credentials, and issues a session cookie.

In one embodiment, interactions between components internal to IDCS (eg, 1004, 1006, 1008) and components external to IDCS (eg, 1002, 1011, 1042) occur through firewall 1044.

Login/Logout Flow Figure 11 is a message sequence flow 1100 for the SSO functionality provided by IDCS in one embodiment. When a user accesses a client 1106 (e.g., a browser-based application or a mobile/native application) using a browser 1102, Cloud Gate 1104 acts as an application enforcement point and enforces the policies specified in the local policy text file. do. If Cloud Gate 1104 detects that the user does not have a local application session, it requests the user's authentication. To do so, Cloud Gate 1104 initiates an OpenID Connect login flow to OAuth2 microservice 1110 by redirecting browser 1102 to OAuth2 microservice 1110 (a three-way AZ Grant flow with scope = "openid profile ”).

The browser 1102 request traverses the IDCS routing layer web service 1108 and Cloud Gate 1104 to reach the OAuth2 microservice 1110. The OAuth2 microservice 1110 configures the application context (i.e., metadata that describes the application, such as the identity of the connecting application, client ID, configuration, what the application can do, etc.) and directs the browser 1102 to the SSO microservice for login. Redirect to service 1112.

If the user has a valid SSO session, the SSO microservice 1112 validates the existing session without initiating a login ceremony. If the user does not have a valid SSO session (ie, the session cookie is not present), the SSO microservice 1112 initiates a user login ceremony (eg, displays a branded login page) according to the customer's login preferences. To do so, SSO microservice 1112 redirects browser 1102 to login application service 1114 implemented in JavaScript. Login application service 1114 provides a login page to browser 1102. Browser 1102 sends a REST POST containing login credentials to SSO microservice 1112. SSO microservice 1112 generates an access token and sends it to Cloud Gate 1104 in a REST POST. Cloud Gate 1104 verifies the user's password by sending the authentication information to Admin SCIM microservice 1116. Management SCIM microservice 1116 determines that the authentication is successful and sends a corresponding message to SSO microservice 1112.

In one embodiment, the login page does not display a consent page during the login ceremony. This is because the "login" operation does not require further consent. Instead, a privacy policy is written on the login page that informs the user about the specific profile attributes that are exposed to the application. During the login ceremony, the SSO microservice 1112 respects the customer's IDP preferences and, once configured, redirects to the IDP for authentication against the configured IDP.

Upon successful authentication or validation, the SSO microservice 1112 directs the browser 1102 to the newly created/updated SSO host HTTP cookie (e.g., the cookie created in the context of the host indicated by "HOSTURL") containing the user's authentication token. ) to redirect the browser 1102 back to the OAuth2 microservice 1110. OAuth2 microservice 1110 redirects the AZ code (eg, OAuth concept) back to browser 1102 and to Cloud Gate 1104. Browser 1102 sends the AZ code to Cloud Gate 1104, which sends a REST POST to OAuth2 microservice 1110 requesting an access token and an identity token. Both of these tokens are scoped to OAuth microservice 1110 (indicated by the audience token claim). Cloud Gate 1104 receives these tokens from OAuth2 microservice 1110.

Cloud Gate 1104 uses the identity token to map the authenticated user's identity to its internal account representation, and it may save this mapping in its HTTP cookie. Cloud Gate 1104 then redirects browser 1102 to client 1106. The browser 1102 then reaches the client 1106 and receives a corresponding response from the client 1106. From this point on, browser 1102 can seamlessly access the application (ie, client 1106) as long as the application's local cookie is valid. If the local cookie is invalidated, the authentication process repeats.

Cloud Gate 1104 further uses the access token included in the request to obtain "userinfo" from OAuth2 microservice 1110 or from the SCIM microservice. This access token is sufficient to access the "userinfo" resource for attributes given by the "profile" scope. This is also sufficient to access the "/me" resource via the SCIM microservice. In one embodiment, by default, the included access token is sufficient only for user profile attributes given under the "Profile" scope. Access to other profile attributes is authorized based on additional (optional) scopes presented in the AZ grant login request issued by Cloud Gate 1104.

If the user accesses another application with OAuth2 integration, the same process is repeated.

In one embodiment, the SSO integration architecture uses a similar OpenID Connect user authentication flow for browser-based user logout. In one embodiment, a user with an existing application session accesses Cloud Gate 1104 to initiate a logout. Instead, the user may have initiated a logout on the IDCS side. Cloud Gate 1104 terminates the application-specific user session and initiates an OAuth2 OpenID provider (“OP”) logout request to OAuth2 microservice 1110. OAuth2 microservice 1110 redirects to SSO microservice 1112, which deletes the user's host SSO cookie. SSO microservice 1112 initiates a set of redirects (OAuth2 OP and SAML IDP) to known logout endpoints tracked in the user's SSO cookie.

In one embodiment, when Cloud Gate 1104 requires user authentication (eg, login) using the SAML protocol, a similar process is initiated between SAML microservices and SSO microservices 1112.

Cloud Cache One embodiment provides a service/feature called Cloud Cache. A cloud cache is provided to IDCS to support communication with LDAP-based applications (eg, email servers, calendar servers, some business applications, etc.). This is because IDCS does not communicate according to LDAP, but such applications are configured to communicate only based on LDAP. Typically, cloud directories are exposed via REST APIs and do not communicate according to the LDAP protocol. Managing LDAP connections through a corporate firewall typically requires specialized configurations that are difficult to set up and manage.

To support LDAP-based applications, the cloud cache converts LDAP communications into a protocol suitable for communicating with cloud systems. Generally, LDAP-based applications use databases through LDAP. Alternatively, the application may be configured to use the database via a different protocol such as SQL. However, LDAP provides a hierarchical representation of resources in a tree structure, whereas SQL represents data as tables and fields. Therefore, it would be more desirable for LDAP to be used for search functions. On the other hand, it would be more desirable for SQL to be for transactional functions.

In one embodiment, the services provided by IDCS can be used in an LDAP-based application, for example, to authenticate users of the application (i.e., identity service) or to enforce the application's security policy (i.e., security service). can. In one embodiment, the interface with IDCS is through a firewall and is based on HTTP (eg, REST). Typically, corporate firewalls do not allow access to internal LDAP communications, even if those communications implement Secure Sockets Layer ("SSL"). Also, corporate firewalls do not allow TCP ports to be exposed through the firewall. However, Cloud Cache converts between LDAP and HTTP to allow LDAP-based applications to reach the services provided by IDCS, and the firewall is open to HTTP.

Generally, LDAP directories may be used in lines of business, such as marketing and development, to define users, groups, operations, and so on. In one example, a marketing and development business may serve a variety of customers, and each customer may have its own applications, users, groups, operations, and so on. Another example of a business line that may implement an LDAP cache directory is a wireless service provider. In this case, each call made by a user of the wireless service provider authenticates the user's device against the LDAP directory, and some of the corresponding information in the LDAP directory may be synchronized with the billing system. In these examples, LDAP provides the ability to physically separate the content being explored at runtime.

In one example, a wireless service provider may use the services provided by IDCS to support short-term marketing campaigns, while handling its own identity management services for its core business (eg, regular calls). In this case, the cloud cache "flattens" LDAP when it has one set of users and one set of groups running to the cloud. In one embodiment, any number of cloud caches may be implemented in IDCS.

Distributed Data Grid In one embodiment, the cache cluster in IDCS is implemented based on the distributed data grid disclosed in, for example, U.S. Patent Publication No. 2016/0092540, the disclosure of which is incorporated herein by reference. . A distributed data grid is a system in which a collection of computer servers in one or more clusters work together in a distributed or clustered environment to manage information and related operations such as calculations. Distributed data grids can be used to manage application objects and data that are shared between servers. Distributed data grids provide short response times, high throughput, predictable scalability, continuous availability, and information reliability. As a specific example, distributed data grids, such as Oracle's Oracle Coherence data grid, achieve even higher performance by storing information in-memory and synchronized information across multiple servers. Redundancy is used in maintaining copies of the data to ensure system resiliency and continued availability of data in the event of a server failure.

In one embodiment, IDCS implements a distributed data grid, such as Coherence, that allows all microservices to request access to shared cache objects without being blocked. Coherence is a proprietary, Java-based, in-memory data grid designed for greater reliability, scalability, and performance compared to traditional relational database management systems. Coherence provides a peer-to-peer (i.e., no central manager) in-memory distributed cache.

FIG. 12 illustrates an example of a distributed data grid 1200 that stores data and provides data access to clients 1250 to implement embodiments of the present invention. A "data grid cluster" or "distributed data grid" is a distributed or clustered environment in which information is stored and associated computations are performed by working together in one or more clusters (e.g., 1200a, 1200b, 1200c). A system that includes multiple computer servers (eg, 1220a, 1220b, 1220c, and 1220d) that manage operations. Although distributed data grid 1200 is shown as including four servers 1220a, 1220b, 1220c, 1220d with five data nodes 1230a, 1230b, 1230c, 1230d, and 1230e in cluster 1200a, distributed data grid 1200 may include any number of clusters and any number of servers and/or nodes in each cluster. In some embodiments, distributed data grid 1200 implements the invention.

As shown in FIG. 12, a distributed data grid provides data storage and management functionality by distributing data across multiple servers (eg, 1220a, 1220b, 1220c, and 1220d) that work together. Each server in the data grid cluster is a conventional computer, such as a "commodity x86" server hardware platform with one to two processor sockets and two to four CPU cores per processor socket. It may be a system. Each server (e.g., 1220a, 1220b, 1220c, and 1220d) may have one or more CPUs, a Network Interface Card ("NIC"), and, for example, a minimum of 4 GB of RAM and a maximum of 64 GB or more of RAM. Contains memory. Server 1220a is shown as having a CPU 1222a, memory 1224a, and NIC 1226a (these elements are also present on other servers 1220b, 1220c, 1220d, but not shown). Optionally, each server may be provided with flash memory (eg, SSD 1228a) to provide excess storage capacity. As provided, the SSD capacity is preferably 10 times the size of the RAM. The servers (e.g., 1220a, 1220b, 1220c, 1220d) of the data grid cluster 1200a are configured using high-performance network switches 1220 (e.g., Gigabit or higher Ethernet) using high-bandwidth NICs (e.g., PCI-X or PCIe). It is connected to the.

Although cluster 1200a preferably includes a minimum of four physical servers to avoid the possibility of data loss during a failure, typical installations have many more servers. The more servers there are in each cluster, the higher the efficiency of failover and failback, and the less impact a server failure has on the cluster. To minimize communication time between servers, each data grid cluster is ideally limited to a single switch 1202 that provides single-hop communication between servers. Thus, clusters are limited by the number of ports on switch 1202. Thus, a typical cluster includes 4 to 96 physical servers.

In most Wide Area Network ("WAN") configurations of distributed data grid 1200, each data center within the WAN is divided into separate but interconnected data grid clusters (e.g., 1200a, 1200b). , and 1200c). A WAN may include more clusters than those shown in FIG. 12, for example. In addition, by using interconnected but independent clusters (e.g., 1200a, 1200b, 1200c) and/or interconnected but independent clusters in data centers that are far apart from each other. By deploying a distributed data grid in a cluster, a distributed data grid can guarantee data and service to clients 1250 to prevent simultaneous loss of all servers in a cluster due to natural disasters, fire, flood, extended power outages, etc. Can be done.

One or more nodes (eg, 1230a, 1230b, 1230c, 1230d, and 1230e) run on each server (eg, 1220a, 1220b, 1220c, 1220d) of cluster 1200a. In a distributed data grid, nodes may be, for example, software applications, virtual machines, etc., and servers may include the operating system, hypervisor, etc. (not shown) on which the nodes operate. In an Oracle Coherence data grid, each node is a Java virtual machine (“JVM”). There may be multiple JVMs/nodes on each server depending on the CPU processing power and memory available on the server. JVMs/nodes may be added, started, stopped, and removed as required by the distributed data grid. The JVM running Oracle Coherence automatically joins and clusters upon startup. JVMs/nodes that join a cluster are called cluster members or cluster nodes.

Architecture Each client or server includes a bus or other communication mechanism for communicating information and includes a processor coupled to the bus for processing information. The processor may be any type of general purpose or special purpose processor. Each client or server may further include memory for storing instructions and information executed by the processor. The memory may consist of random access memory ("RAM"), read-only memory ("ROM"), static storage such as magnetic or optical disks, or any other type of computer-readable medium in combination. Each client or server may further include a communication device such as a network interface card for providing access to a network. Accordingly, a user may interface with each client or server directly, remotely through a network, or by any other means.

Computer-readable media can be any available media that can be accessed by a processor and includes volatile and nonvolatile media, removable and non-removable media, and communication media. Communication media may include computer-readable instructions, data structures, program modules or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information-carrying media. include.

The processor may further be coupled to a display, such as a liquid crystal display (“LCD”), via a bus. A keyboard and cursor control device, such as a computer mouse, may also be coupled to the bus to allow a user to interface with each client or server.

In one embodiment, the memory stores software modules that, when executed by the processor, provide functionality. The module includes an operating system that provides operating system functionality to each client or server. The module may further include a cloud identity management module to provide cloud identity management functionality and all other functionality disclosed herein.

Clients may access web services such as cloud services. In one embodiment, web services may be implemented on Oracle's WebLogic server. Other implementations of web services may be used in other embodiments. Web services access databases that store cloud data.

Example of IAM Functionality In one embodiment, IAM functionality is implemented by software stored in memory or other computer-readable or tangible media and executed by a processor.

Receive requests to perform identity management services. In one embodiment, the request includes a call to an API that identifies the identity management service and the microservice configured to perform the identity management service. In one embodiment, microservices are self-contained modules that can communicate with other modules/microservices, and each microservice has an unnamed universal port that can be contacted by others. For example, in one embodiment, as shown in FIG. 6, various applications/services 602 can make HTTP calls to the IDCS API to use IDCS microservices 614. In one embodiment, microservices are runtime components/processes.

In one embodiment, this request includes a URL. In one embodiment, microservices are identified in the prefix of the URL. In one embodiment, the resource portion of the URL identifies the API. In one embodiment, the host portion of the URL identifies the tenancy of the resource associated with the request. For example, in a URL such as "host/microservice/resource" in the IDCS web environment, a microservice is characterized by having a specific URL prefix (for example, "host/oauth/v1"), and the actual microservice is "oauth/v1", and there are multiple APIs under "oauth/v1", for example, API to request a token: "host/oauth/v1/token", to authenticate the user API for: "host/oauth/v1/authorize" etc. That is, the URL implements a microservice, and the resource part of the URL implements an API. Therefore, multiple APIs are aggregated under the same microservice. In one embodiment, the host portion of the URL identifies the tenant (eg, https://tenant3.identity.oraclecloud.com:/oauth/v1/token").

The request is then authenticated. In one embodiment, the request is authenticated by a security gate, such as Cloud Gate, described herein with reference to, for example, web routing layer 610 of FIG. 6 and/or Cloud Gate 702 of FIG. 7.

The microservices are then accessed based on the API, eg, as described herein with reference to the IDCS "API Platform" of FIG. 6 and accessing microservices in the IDCS middle layer 614. In one embodiment, communication with the microservice is configured through the microservice's anonymous universal port. In one embodiment, a microservice's anonymous universal port is a standard communication channel (e.g., as a traditional HTTP port) that the microservice exposes to which any other module/microservice within the same service It is a standard communication channel that allows people to communicate and talk. In one embodiment, a microservice provides one or more functionality by exposing one or more APIs. In one embodiment, communication with microservices is accomplished solely through one or more APIs. That is, contacting/contacting a microservice is only accomplished by calling such an API. In one embodiment, communication with microservices is configured according to a lightweight protocol. In one embodiment, lightweight protocols include HTTP and REST. In one embodiment, the request includes a call to a RESTful HTTP API. Accordingly, one embodiment provides dispatch functionality. Each HTTP request includes a URI and a verb. The present embodiment parses the endpoint (host/service/resource) of the URI and combines this with an HTTP verb (e.g., POST, PUT, PATCH, or Delete) to determine the appropriate method for the appropriate module. Dispatch (or call). This pattern is common in REST and is supported by various packages (eg Jersey).

Identity management services are then performed by the microservices, eg, as described herein with reference to the IDCS "API platform" of FIG. 6 and IDCS middle layer 614 access to microservices. In one embodiment, microservices are stateless, horizontally scalable, and independently deployable. In one embodiment, each physical implementation of a microservice is configured to securely support multiple tenants. In one embodiment, the identity management service includes a login service, an SSO service, a federation service, a token service, a directory service, a provisioning service, or an RBAC service.

Data Replication Public clouds, such as Oracle Public Cloud (“OPC”), typically provide resources such as virtual machines (“VMs”), applications, or storage that are accessible to the general public over the Internet. The company intends to provide and support IaaS, PaaS and SaaS services to customers around the world by making them available through the Internet. Public clouds are known for having multiple data centers, each located in a different geographic region, thereby providing services with minimal delay to customers located closest to each data center. In embodiments, public cloud services may be deployed in different data centers serving customers that are separated by physical boundaries referred to as "regions."

FIG. 13 illustrates a public cloud 1300 with multiple deployed data centers (denoted as “DCs”), each forming a “region”, according to one embodiment. For example, data center 1301 is located in a city in Canada, data center 1302 is located in a city in Germany, and data center 1303 is located in a city in Australia. In embodiments, one or more data centers are consolidated into an "island" managed by one or more "control plane" deployments (denoted as "CP"). An island is a collection of regions integrated into a "cloud" and managed by a single control plane. For example, control plane 1310 manages data centers 1301, 1304, 1305, 1306, and 1307, and control plane 1311 manages data centers 1308 and 1309. A typical control plane deployment can serve one or more regions, based on scalability requirements and customer loads in each region. In one embodiment, in a situation where a control plane component serves more than one region, this component requires permission to interact with all regions under one identity.

A customer account is managed by the cloud 1300 for each user/customer purchasing/obtaining various public cloud services. One type of service available to customers is the multi-tenant identity management service, or IDCS, disclosed above, which can be implemented as a control plane component and distributed separately in every region (i.e. every data center). By deploying it, you can protect resources in that area. As mentioned above, in one embodiment, a control plane that is not deployed in a particular region requires specific permissions to interact with components or tenants in regions where it is not deployed. For example, a control plane component designated for one region may desire to access an IDCS customer tenancy located in another region (ie, hosted in a different IDCS deployment). To do so, a component/customer assigned to the IDCS in one region may call the IDCS API to the IDCS in the other region (e.g., to access a particular microservice among the IDCS microservices 614 in FIG. 6). Trust must be established between these deployments so that The known solution is that a user specified in a region and assigned to this region can only access resources in this region, not in other regions, and can only authenticate from this region. , certification cannot be obtained from other regions.

In contrast, in embodiments, a user with a new access token, referred to as a "global access token" or "global token" in one region, can use this global token to access resources in another region (i.e., a remote region). can be accessed. Embodiments are directed to how to establish trust between regions to manage various IDCS regions to provide resources and authentication functionality to users/customers wherever they are located. Generally, a global token needs to be given to the user to enable cross-region trust functionality. This global token is then consumed by the destination trust center.

For example, a "client" (i.e., any application or programmatic approach for accessing a user or service) may reside only in data center 1307 in Chicago (where Chicago was originally built). be. Each client has its own identity and needs to verify it to obtain a token. If the client does not have a presence or footprint in any of the other data centers of cloud 1300 (i.e., IDCS deployments in other data centers), such as data center 1303 located in Sydney, for example, Assume. Therefore, even though the client is physically located near Sydney, it is not present in Sydney and cannot authenticate from the Sydney data center. To solve this problem, embodiments provide the necessary cross-region trust by generating global access tokens. Therefore, after authenticating in Chicago, the client will request recovery of the global access token in Sydney. Chicago DC 1307 generates a global token and signs the global token using the global private key. The global private key is available to all DCs. In embodiments, a global access token is used to access only IDCS REST APIs, so using this global token to access non-IDCS REST APIs across multiple regions will result in errors.

The IDCS deployment at Sydney DC 1303 consumes and validates the global token when it is presented. The client can then access resources in Sydney that are not specified in Sydney. In embodiments, a client may only be specified in one IDCS deployment, but still be able to access resources in other deployments.

However, a client may desire more than just accessing resources in another region. For example, in known systems, if a client desires to create an identity cloud account or IDCS deployment in a certain region (eg, Chicago or a "master" data center), the customer creates that account. However, if the same customer wants to use that identity in another region (for example, Amsterdam) and use that region's workload, the customer must first create a new Identity Cloud account in Amsterdam. , then two separate identity accounts would be created for the same customer. Otherwise, the customer could continue to communicate with the first region, but would experience significant delays if the customer was in Amsterdam and forced to use Chicago's workload.

In contrast, embodiments of the present invention automatically replicate a customer's identity cloud account in Chicago (ie, the "master" data center) to Amsterdam (ie, the "replica" data center) or any other location. In one embodiment, a customer/tenant is given the option of using an existing account in Chicago from Amsterdam, where the information is bootstrapped to Amsterdam and changes are continuously captured and replicated thereafter.

In embodiments, a region represents an entity that can deploy IDCS services. The area is included in the island. Each regional IDCS deployment has deployment-specific data and metadata artifacts.

In embodiments, the "master" region is where the master tenant is located and the replica region is where the "replica" tenant is located. The master tenant in an embodiment is a physical IDCS tenant stripe in a particular region selected by the customer. Each stripe holds a customer's master data set that is stored in a database schema and replicated to replica tenant stripes. A replica tenant in an embodiment is a physical IDCS tenant stripe that is created and managed by the eventually consistent replication process disclosed below. Each stripe is stored in a database schema and holds replica data for a customer. A replication cluster is a set of IDCS regions within an island where one region is the master region and the other regions are replica regions.

However, replication or bootstrapping across multiple regions poses several problems. For example, a change log is created on the master and sent to the replica. FIG. 14 illustrates the processing flow of replication change events/logs between a master IDCS deployment 1401 (“IDCS1”) and a replica IDCS deployment 1402 (“IDCS2”) according to an embodiment of the invention. In one embodiment, the functions of the flow diagram of FIG. 14 (and FIGS. 15 and 17 below) are implemented by software stored in memory or other computer-readable or tangible medium and executed by a processor. . In other embodiments, this functionality is provided by hardware (e.g., through the use of application specific integrated circuits ("ASICs"), programmable gate arrays ("PGAs"), field programmable gate arrays ("FPGAs"), etc.); Alternatively, it may be realized by any combination of hardware and software.

Master 1401 includes an admin service 1405 (ie, an admin SCIM microservice, such as admin SCIM microservice 1116 of FIG. 11) and a replication service 1408 (also implemented as a microservice in an embodiment). Similarly, replica 1402 also includes a management SCIM microservice (not shown) and a replication service 1407. Data stores 1406 and 1412 store some of the resources and other related data. In one embodiment, each resource is an IDCS REST API resource.

In embodiments, each IDCS deployment 1401, 1402 includes one or more sharded queues 1430, 1431, respectively. A sharded queue is a logical queue that is transparently divided into multiple independent physical queues by system partitioning. In one embodiment, the sharded queue is a Java Messaging Service ("JMS") sharded queue.

At 1420, a SCIM write request for one of the replicable resources reaches the management service 1405 of the master 1401.

At 1421, management service 1405 processes the request and writes the resource to data store 1406. In one embodiment, "writing" the resource includes "persisting" the resource into a database via a Java Database Connection ("JDBC") using SQL statements.

At 1422, management service 1405 generates a change event (as a result of writing the resource to data store 1406) and writes it to one of multiple shard queues 1430. In one embodiment, change events for a tenant are always enqueued to the same shard based on the calculated hash.

At 1423, replication change events in each shard queue 1430 are dequeued by dedicated transport handler 1435 of replication service 1408 in the same order in which they were enqueued into queue 1430.

At 1451, the transport handler 1435 pushes a change event in the form of a bulk message to the replication service 1407 of the replica 1402 via a REST API call. In one embodiment, the message is in JSON format containing a modified event with added headers as described in the standard SCIM "Bulk Operations" according to RFC7644.

At 1452, replication service 1407 concurrently writes bulk messages to local shard queue 1431. In one embodiment, change events transported from master 1401, given at 1452, are always enqueued to the same corresponding shard at 1402. For example, if a change event is inserted into shard Q1 at 1422, the same change log enters replica (1402) and enters shard Q1 at 1452.

At 1453, dedicated apply handler 1430 dequeues the message from shard queue 1431.

At 1454, apply handler 1430 writes the messages to local data store 1412 in the same order in which the messages were dequeued.

In general, the replication functionality in Figure 14 allows messages from tenants to be enqueued into the same shard queue in the master region, transport handlers to process dequeued messages in the same order, and transported messages about tenants to on the same shard in the replica region, and the apply handler processes the dequeued messages in the same order, ensuring that all change events on the master are processed sequentially without data conflicts.

However, even though change events are processed sequentially in one master from the master region (master 1401) to the replica region (replica 1402), there are still several scenarios in which data conflicts can occur. For example, data races can occur because (1) during tenant data bootstrapping, exported bootstrap data and ongoing change events may overlap; after tenant bootstrapping, these overlaps may overlap; (2) improve service-level agreements (“SLAs”) for tenant service provisioning in the replica region; For this reason, reverse syncing to the master may cause data conflicts. However, in embodiments, conflict avoidance for these scenarios is also avoided since the same sequence at the master is followed at the replica.

FIG. 15 shows a process flow for conflict resolution between a master IDCS deployment 1401 and a replica IDCS deployment 1402 according to an embodiment of the invention.

At 1501, dedicated apply handler 1470 dequeues change events from each shard queue 1431.

At 1502, apply handler 1470 attempts to apply the changes at local data store 1412 and then determines whether there is a data conflict. Table 1 below lists the various types of operations (i.e., Create, Read, Update, Delete, and Query (“CRUDQ”) for all IDCS resources). Schema-based REST API (resulting behavior) and types of data conflicts that may occur.

One of the conflict resolution logics in Table 1 is implemented in response to data conflicts. If the conflict resolution logic 1b, 2a or 4a of Table 1 is implemented, the resource is fetched from the master 1401 at 1503.

At 1504, apply handler 1470 reconciles resources at replica 1402.

The functionality in embodiments of the invention is performed at the application level/layer (rather than at the database level, cache level, etc.). Specifically, the functionality is performed by one or more microservices (eg, management service 1405 and/or replication service 1408, 1407) rather than the database. As such, embodiments run much faster than other solutions, and embodiments can automatically reconcile on demand. Embodiments avoid data conflicts in single master replication flows. This is because all change events for a tenant are processed serially by both transport handlers and apply handlers.

FIG. 16 is a block diagram illustrating further details of a master IDCS deployment 1401 and a replica IDCS deployment 1402, according to an embodiment of the invention. In the master 1401, management services 1602 and 1603 connected to the tenant DB 1604 (ie, data store) receive the REST API request 1601.

Master 1401 and replica 1402 each send a message (in one embodiment, an Oracle Advanced Queuing ("AQ") message, or an Apache Kafka message) to a partition based on a hash. Includes shard queues 1610 and 1620 to issue. At master 1401, messaging transport handler 1622 maintains sequence by providing one thread transport per shard. Worker threads are provided to the replication service 1625, each holding one buffer at a time. Replication service 1625 acts as an endpoint that maintains the sequence by issuing one buffer at a time to a receive and apply queue (ie, shard queue 1620). Messaging apply handler 1630 maintains sequence by providing one thread application per shard. Replication service 1625 also serves as an endpoint for applying changes to tenant DB 1640 (ie, data store). In embodiments, each replication service in an IDCS deployment has the ability to act as a "master" and/or a "replica."

FIG. 16 is a more detailed diagram of FIG. 14, including partitions, queues, and worker threads. Figure 16 shows the actual flow of change logs through the queuing system. On the "master" side, two admin services 1602 and 1603 operate in parallel. 1610, 1622, 1620, and 1630 form a "pub-sub" (publish-subscribe) system, which in one embodiment is implemented as Oracle's "Advanced Queuing" ("AQ"). , 1430, 1435, 1407, and 1452 in FIG. 14 are shown in more detail. For example, as soon as 1602 or 1603 issues a message to 1610, a hash is calculated for the change log corresponding to the tenant ID. This means that change logs corresponding to a particular tenant are always hashed to the same "partition". On the receiving side (ie, the replica), the same logic is applied, and the change log corresponding to the tenant always goes through the same partition on the replica (1620). Also note that since the number of partitions is fixed, the calculated hash is assigned to one of the partitions using the "mod tenant ID" (1610).

FIG. 17 is a flow diagram of conflict resolution according to replication according to an embodiment of the present invention. As previously discussed, conflict resolution is necessary to resolve data-related modification application failures even when using a single-master replication model (i.e., the model described in connection with Figure 14). be. This is because changes to replica IDCS instances may be applied out of order due to multi-threaded replication processing flow logic or when reapplying previously failed changes. Embodiments resolve data conflicts by using update timestamps, where changes are determined to be applied or skipped by comparing the operational timestamp of each change entry with the update timestamp of an existing target entry. Decide what to do.

In addition to supporting conflict resolution based on update timestamps with existing target entries, embodiments also manage tombstones for deleted entries. These tombstone entries are used to resolve conflicts when applying out-of-order corrective changes to target entries that have already been deleted.

Based on the planned conflict resolution logic, embodiments determine whether to skip/apply the change or return the change to the message queue for change retry. Changes that were skipped or applied based on conflict resolution logic can be purged.

Modification applications can fail for the following reasons:
1. System/resource issues or transient stability issues such as the network, target DB or IDCS Replicate service going down;
2. Replication service processing changes out of order, or
3. Data problems with replica IDCS instances due to admin errors when applying previous changes or software bugs in IDCS.

Reasons (1) and (2) would be resolved by conflict resolution logic plus appropriate modification of retries per configured number of retry attempts. Reason (3) may result in permanent change application failure. Therefore, in one embodiment, failed changes need to be moved to an exception queue for human intervention.

The IDCS messaging service has built-in message retry logic with enhanced exponential delay functionality to apply retry changes to replication processing flows. It also has an exception queue that is used to hold change messages that have not been applied too many times (per configuration).

As a result of the above error handling method, embodiments obtain the following replication conflict avoidance design guarantees.
・Messages are not lost.
・Messages do not arrive out of order.
- Possible double message due to network/DB error/timeout.
- Reconciliation/bootstrap can result in revocation messages that also function as double messages.

For the functionality of FIG. 17, the following requirements exist in one embodiment.
- Set the DB generation system time as the time the resource was last modified. This is necessary to maintain one source of timestamps/clocks for data comparison in order to drop duplicate changelogs and stale changelogs caused by full resource reconciliation.
- In the master IDCS instance, read back the time when the resource was last modified from the DB and capture it as the change log time.
- In a replica IDCS instance, the time the resource was last replicated is updated when applying the change log and reconciliation of all resources. Maintain one clock source by using the change log time from the master as the last replicated time.

Common errors include:
- In 1702, tenant does not exist (or) DB related error (or) connection error (or) timeout. The apply handler retries until it succeeds.
- At 1704, service isolation/restart is handled as part of the health check framework.

Operation and error handling processes include:
●Creation (1706)
〇Resource already exists (1708)
● Compare the last modified time of the payload with the last replicated time of the replica DB
●If the timestamps are the same, drop the changelog
●If not, perform all resource reconciliation ●Replace/Update (1710)
〇Resource does not exist (1712)
● Execute all resource reconciliation (1714)
〇Error due to resource data inconsistency/corruption (1712)
● Execute all resource reconciliation (1714)
〇Double update attribute level (possibility of double entry as a result in case of MVA)
● Compare the last modified time of the payload with the last replicated time of the replica DB
● Drop changelog if timestamps are the same or smaller
● Otherwise apply change log. Add/Replace/Delete CMVA - This is only possible if the message is lost. Things that should not happen.
●Delete (1716)
〇Resource does not exist (1718)
● Duplicate message: Drop change log ● Create lost: Should not happen.
●Reconcile (1714)
〇 Acquire all resources from the master IDCS instance and apply them to the replica. Compares the replica's last replicated time to the last time the resource from the master was modified and drops stale change logs that are already queued.

As disclosed, embodiments provide replication of data between multiple identity management system deployments in different geographic areas using a multi-tenant cloud system. Thus, tenants of one deployment in one geographic area can access the same resources in a second geographic area. Embodiments replicate this data using sequential processing of change events. Embodiments further provide resolution for any data conflicts that may occur during data replication.

The Resource Metadata Replication Resource Manager is the common data access layer of IDCS. It is metadata driven and thus can manage any resource type defined in the SCIM compliant resource type and schema definitions. The resource manager handles all common logic for all resource types, including schema-based validation of attributes, data types, required values, canonical values, etc. It also handles setting default values, setting "created/updated" values, setting "created/updated by" values, protecting sensitive attributes, mapping to target attributes, authorization checking, and event publishing. . The external interface of the resource type data manager is HTTP/REST (deployed on the IDCS Admin server and invoked by the "ServiceUp" command), and its internal implementation is done through the Java interface. In one embodiment, the implementation is injected based on a Java Specific Request ("JSR") 330 using the Hundred-Kilobyte Kernel ("HK2"). The Resource Type payload follows the resource model outlined by SCIM 2.0. For example, "/Applications" and "/Credentials" are unique resource types.

Resource definitions and schemas are "/ResourceTypes" and "/Schemas" (i.e., resource type definitions or "RTDs"), which define the endpoint, the supported behaviors for this endpoint, the core and resource metadata that includes information such as extended schema names, etc.). The resource type data manager stores operational data per tenant (e.g., users, groups, tokens, resource types, schemas, etc.), tenant settings (i.e., service-to-service tenant-specific settings and service-specific tenant-specific settings), and global configuration (i.e., service-to-service tenant-specific settings). global configuration and service-specific global configuration).

Embodiments of IDCS require storing and managing identity data and storing objects that have reference relationships with other objects. Therefore, embodiments define and use a schema that can store such objects. This object reference relationship can be stored in either the referencing object or the referenced object, depending on each unique scenario. Generally, a schema is a set of attribute definitions that describe a resource. SCIM RFC7643 specifies a mechanism for storing and handling simple reference relationships via "$ref".

Regarding tenant data replication as disclosed above, certain global resources such as global resource types and schemas, which are resource definition metadata in IDCS, also need to be replicated across data centers and regions, and upgraded if necessary. There is also a need. As part of a metadata upgrade, there may be new resource types and schemas to add, as well as updates to some existing resource types and schemas to account for adding or removing attributes. If a region in a replicated environment is upgraded, data replication from this upgraded region to other regions will only occur if the other regions also have updated versions of resource types and schema metadata. It can work. Embodiments are directed to the replication and upgrade of global metadata in IDCS and ensuring that regions that have not yet been upgraded have the ability to interpret replication changes from regions that have been upgraded. This approach avoids data loss or contention and ensures high availability and disaster recovery due to globality.

As disclosed above in connection with FIGS. 14-17, when replicating data from one region to another, new attributes and new resources are also added if there is a schema change. However, the master and/or replica regions may be upgraded first (e.g. to account for a new release) and new attributes are supported in the other region even before they are upgraded. There is a need. Thus, embodiments support forward (ie, master to replica) and backward (ie, replica to master) replication, depending on which region is upgraded first. For a new attribute, the schema metadata that needs to be replicated may include what the attribute is, the type of the attribute, and the database table and column in which the attribute is stored. In embodiments, the schema metadata is in JSON format.

As disclosed, embodiments include island replication cluster maps, global access tokens (i.e., tokens/keys used to sign access tokens issued in one region and collected in another region), etc. allows IDCS to have globally replicated IDCS stripes that are reserved for replicating data/metadata that must be the same across islands, such as ) using an application-level replication design. This data is stored in a global database (eg, global database 620 of FIG. 6, also referred to as "Global_IDaaS DB"). The metadata that is replicated includes global resource types and schemas, including resource to database table mappings and SCIM attributes to database table column mappings. This metadata is required by the replication service to process change log messages. Therefore, replication and upgrade of resource types and schemas is a prerequisite for the data replication disclosed above in connection with FIGS. 14-17 in embodiments.

If the global resources that form the metadata are replicated following the same process as tenant stripe data replication disclosed above, this will result in multi-master replication and will cause data conflicts. Therefore, to ensure that all regions contain the same latest global resource type and schema, embodiments create a separate replication cluster configuration and designate one of the regions as the island master region (typically The island master has the latest released version) and designates all other regions within the island as replica regions. Embodiments replicate global resources at the island master to all other regions within the island range. For upgrades, embodiments first upgrade global resources in the island master before upgrading any of the other regions. In embodiments, the island master is not fixed. If one other region is upgraded with updated global resources and schemas, the island master and remaining regions are considered to be treated as replicas that are subsequently upgraded to the master region.

FIG. 18 shows a schematic diagram of a global resource replication configuration according to the embodiment. This configuration includes a single master region 1801 (Chicago) or "Island Master" within the "Earth" island 1802 whose global resource data is replicated to all other replica regions within the island 1802. This is different from data replication scenarios where an island can contain multiple master regions for different sets of tenants.

As part of a regional upgrade, there may be new resource types and schemas added, and some existing resource types and schemas may be updated to support new attributes. When one of the regions in a replicated environment is upgraded, in embodiments as disclosed, data replication from this upgraded region to another replica region is performed by a replication service in the replica region. can also work only if the replica region has updated versions of resource types and schemas, even if they have not yet been upgraded. The replication service can then interpret the changes as coming from the upgraded master region and also avoid data loss or conflicts during data replication. To support version compatibility in the master region and replication services in the replica region, embodiments utilize the data replication functionality of FIGS. 14-17. Whenever a resource type and schema in the island master region is upgraded to a new version, a change log message containing the upgraded resources from the master is sent to the replication service in the replica region to update the replica's GLOBAL_IDaaS DB. do. Replication services in the replica region then consume updated global resources from the global database, while other services still consume resources in the old version of the binary.

FIG. 19 illustrates global resource replication and upgrade from a master region 1901 (“island master” 1901 or master data center) to a replica region 1902 (or replica data center) according to an embodiment. In an embodiment, both master region 1901 and replica region 1902 are part of the same "Earth" island 1905.

At 1910, given the upgrade version number, embodiments generate a manifest file that includes modified/added global resource types and schema information compared to the previous release/version. In one embodiment, a Gradle task "GenerateManifestTask" generates the manifest. In the master IDCS instance, a task is executed at compile time to generate one manifest file for the RTD/schema with modifications/additions compared to the previous release/version.

In embodiments, the manifest file is located under idaas/core-common/src/generated/resources/. Its name is <current version number>rtd-schema-manifest.json, for example 18.2.6-rtd-schema-manifest.json. This includes:

The command that specifically requests execution of tasks under idaas is ./gradlew generateManifest.
Then, in the master IDCS instance, the Admin service generates a change log of RTD/schema changes due to version upgrade. The command is ./admin - srv -boot.config=/scratch/idcs/app/data/conf/boot.conf.local database initmetadataupgrade tr <releaseNumber> and the App CLI is called to update the file given in the manifest file. Load the RTD/schema from the path.

At 1912, the embodiment calls an Admin service 1920 to upgrade the global resources based on the manifest file and write them to the global database 1921.

At 1914, similar to 1422 of FIG. 16, management service 1920 publishes a replication event by writing the event to one of multiple shard queues 1930.

At 1915, replication transport handler 1932 pushes the global resource change log event to all other regions within the island (eg, to replica region 1902 and any other replica regions).

At 1940, the replication service 1962 at the replica region receives the above event and compares the current version number at the replica with the data upgrade version number at the master. If the replica version number is less than or equal to the master upgrade number, then at 1942 the replication service 1962 applies the global resource changes to the Global_IDaaS DB 1971. Otherwise, the changes are discarded at 1943. This is because the replica already has the highest metadata version.

At 1944, Replication Service 1962 loads global resources from DB 1971 and refreshes the corresponding cache. This ensures that the replication service 1962 consumes the updated version, so there is no data loss/contention while processing data replication from the upgraded master 1901 (i.e., As shown in Figure 17).

At 1945, embodiments modify all non-replication services 1965 (eg, Admin, Job, Reports, etc.) to load global resources from the binary distribution instead of the Global_IDaaS DB 1944. This ensures that updates to resources in replication service 1962 do not affect non-replication service runtime processing or service reboots. This is because loaded resources are always aligned with the binary version, and the reason is that the latest metadata is not used and the API context is not changed.

Specifically, when the global resource replication function in Figure 19 is completed, the global DB is upgraded to the latest version, and the replication service of each replica uses the new version to avoid compatibility issues in later replication events. To avoid. However, at each replica, other non-replication services have not yet been upgraded and are still using the current schema/resource type version stored in the jar/zip file (binary distribution) when the program was built and compiled. There must be.

As disclosed, embodiments are directed to application-to-application replication rather than database-to-database replication, and use the unique global island master configuration of FIG. 18. In embodiments, change logs are used at replicas to update schemas/resources in a replication service. This schema metadata in embodiments is JSON. When replicating, if the replica is already at a higher version than the master, the changes will be ignored.

Embodiments provide automatic replication and simplified management of global resources. In embodiments, there is no DB-level data binding between IDCS master and replica instances. As a result, each IDCS instance can be upgraded independently without impacting other IDCS instances within the same replication cluster. The only data binding between the master and replica instances is through the controlled application data replication flows of FIGS. 14-17.

Several embodiments are specifically illustrated and/or described herein. However, it will be appreciated that modifications and variations of the disclosed embodiments are covered by the above teachings and within the scope of the following claims without departing from the spirit and intended scope of the invention. Dew.

Claims (13)

A method of operating a multi-tenant cloud system, the method comprising:
authenticating a first client and storing resources corresponding to the first client at a first data center, the first data center authenticating the first client and replicating the resources; communicating with a second data center configured to;
In response to an upgrade of global resources in the first data center to a new version, generating a manifest file containing a list of global resource types and schemas modified or added in response to the upgrade;
At the first data center, upgrading a global resource based on the manifest file, writing the upgraded global resource to a first global database, and generating a change event message corresponding to the upgraded global resource. ,
pushing the change event message to the second data center;
comparing the current version with the new version at the second data center;
at the second data center, applying the change event message to a second global database when the current version is not newer than the new version;
at the second data center, ignoring the change event message when the current version is as new as or newer than the new version;
at the second data center, modifying a non-replication service to load global resources from a binary distribution instead of the second global database. The method of claim 1, wherein the first data center pushes the change event message to the second data center via a REST API call. 3. The method of claim 1 or 2 , wherein the change event message is written to one or more first shard queues of the first data center. 3. The method of claim 2, wherein all the change event messages associated with a first tenant are written to the same shard queue. 3. The method of claim 2, wherein the change event message is written to one or more second shard queues in the second data center. The method according to any of claims 1 to 5 , further comprising loading global resources from the second global database and refreshing the corresponding cache at a replication service at the second data center. The first data center, the second data center, and a plurality of other data centers form an island, and the method includes:
The claim further comprises: designating one data center of the data centers in the island as a master data center when the one data center is upgraded and designating all other data centers as replica data centers. The method according to any one of items 1 to 6 . A method according to any preceding claim, wherein the upgrading of resources in the first data center comprises adding new resource types and schemas. A computer program product storing instructions that, when executed by at least one of a plurality of processors, cause said at least one processor to perform the method according to any of claims 1 to 8 . A multi-tenant cloud system data center,
a management service configured to authenticate a first client and store resources corresponding to the first client, the multi-tenant cloud system data center authenticating the first client and replicating the resources; communicate with a second data center configured to
a global database coupled to said management service;
The management service further generates, in response to an upgrade of global resources in the multi-tenant cloud system data center to a new version, a manifest file that includes a list of global resource types and schemas modified or added in response to the upgrade. and upgrading a global resource based on the manifest file, writing the upgraded global resource to a first global database, and generating a change event message corresponding to the upgraded global resource;
a replication service adapted to push the change event message to the second data center via a REST API call;
The second data center, in response to receiving the change event message, compares the current version with the new version, and if the current version is not newer than the new version, the second data center executes the change event message. applying a message to a second global database, ignoring the change event message when the current version is as new as or newer than the new version, and modifying the non-replication service; a multi-tenant cloud system data center configured to load global resources from a binary distribution instead of the second global database. 11. The multi-tenant cloud system data center of claim 10 , further comprising one or more first shard queues, wherein the change event message is written to the first shard queue. 12. The multi-tenant cloud system data center of claim 11 , wherein all the change event messages associated with a first tenant are written to the same shard queue. The multi -tenant cloud system data center, the second data center, and a plurality of other data centers form an island, and the management service manages one data center of the data centers of the island. 13. The multi-tenant cloud system data center of claim 12 , wherein a data center is designated as a master data center and all other data centers are designated as replica data centers when the data center is upgraded.

Images